Thomas Fuller | SOPA Images | Lightrocket | Getty Images
ex-Meta Employees sued social media companies on Monday over allegations that WhatsApp messaging services contain “systematic cybersecurity failures” that potentially compromise users’ privacy.
Attaullah Baig, former security officer at Whatsapp, claimed that Meta retaliated against him after Meta notified leaders, including Mark Zuckerberg, of security issues with messaging apps.
The lawsuit, filed in U.S. District Court for the Northern District of California, alleges that after joining WhatsApp in 2021, Baig discovered security flaws that violated Meta’s legal obligations relating to the 2020 privacy settlement with the Federal Securities Act and the Federal Trade Commission.
During a test conducted by Meta’s central security team, Baig claimed that “approximately 1,500 WhatsApp engineers discovered there was unlimited access to user data, including sensitive personal information, and that employees could “mov or steal such data without a trail of detection or auditing.”
Meta’s spokesman challenged Baig’s allegations in a statement, downplaying his role and rankings in the company.
“Sadly, this is a familiar playbook, revealing a distorted claim that a former employee was fired for poor performance and then misrepresented the ongoing hard work of our team,” the spokesman wrote. “Security is a hostile space and we pride ourselves on building on a strong record of protecting people’s privacy.”
Baig is represented by whistleblower organization PSST.org and law firms Schonbrun, Seplow, Harris, Hoffman and Zeldes.
The lawsuit does not claim that user data has been compromised, but Baig tells his boss in multiple cases that cybersecurity failure poses a regulatory compliance risk. Some of the suspicious security flaws include the failure to maintain 24-hour security operations center fittings of the size and size of WhatsApp, systems that monitor user data access, and “comprehensive inventory of systems that store user data, appropriate protection and regulatory disclosure.”
Baig’s lawyers alleged in the lawsuit that there have been multiple instances of bosses criticizing his work, and said they began receiving “negative performance feedback” within three days of his initial “cybersecurity disclosure.”
In November, Baig notified the SEC of “cybersecurity flaws and failure to inform investors about material cybersecurity risks,” the lawsuit states.
A month later, Baig sent Zuckerberg the second of two letters, this time informing the CEO that he had “submitted a SEC complaint” and that he “requests immediate action to address both underlying compliance obstacles and illegal retaliation.”
In January, Bayg filed a complaint with the Occupational Safety and Health Administration, recording “systematic retaliation” he received after security disclosure, according to the lawsuit.
The following month, the complaint said Meta fired Baig and cited “deteriorating performance” as part of a February layoff that affected 5% of staff.
“The timing and circumstances of Mr. Baig’s termination establish a clear causal relationship with his protected activities, and closely occur in time to his external regulatory applications, representing the pinnacle of more than two years of systematic retaliation for cybersecurity disclosure and his cybersecurity disclosure and advocacy over compliance with federal law and regulatory orders,” the lawsuit states.
Baig’s attorneys filed a notice in federal court on Monday to remove SEC-related claims, saying they “were exhausted administrative relief measures before filing this case.”
Surveillance: Meta pushes back whatsApp ban on devices used by the House of Representatives.
