A former security engineer at Meta’s WhatsApp sued Meta on Monday, accusing the company of failing to protect its users’ data, violating privacy regulations on multiple continents, and firing him in retaliation for filing whistleblower complaints with US authorities.

The suit in San Francisco’s US District Court by Attaullah Baig said the retaliation began in 2022, after a series of positive performance reviews, when he submitted internal critiques and proposals for limiting employee access to user data and better protecting accounts from being hijacked. Baig stated that his complaints and the retaliation intensified until he was laid off in February.

Baig, who was WhatsApp’s head of security, stated that WhatsApp violated a previous agreement with the US Federal Trade Commission to maintain a robust security program, which, in his view, required round-the-clock security staffing. He also said the platform failed to implement measures that would have made it significantly easier to restore stolen accounts.

500,000 accounts stolen a day

In one eye-opening claim, Baig estimated that 500,000 WhatsApp accounts are stolen daily out of the billions in use, adding in his filing that the platform, which is used worldwide, did not disclose everything it collected from users and was unable to effectively spot security breaches.

“This is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” a Meta spokesman, Carl Woog, stated, rejecting Baig's claims. “Security is an adversarial space and we pride ourselves in building on our strong record of protecting people’s privacy," the spokesman said.

Baig claimed the company had only 10 “security engineers” as of 2022, while 1,500 engineers had access to some protected data, a number far greater than necessary, with WhatsApp unable to track what they did with it.

Some of Baig’s contentions resemble those brought by Peiter Zatko in 2022 regarding security failings at the company, then known as Twitter, which has since been bought and renamed X by Elon Musk. Zatko also claimed the platform could not monitor its employees’ actions and violated a prior agreement with the FTC.

Filler subheader

Privacy has been a major selling point for WhatsApp, which uses the same methods for strong encryption as the nonprofit Signal, and despite politicians in some countries demanding access, neither app maker can read user messages, as they are encrypted from one user’s device to another’s.

However, WhatsApp collects much more information about users than Signal does and pools that data with information from Facebook and its other units. Meanwhile, top phone spyware vendors have said they found weaknesses in WhatsApp that allowed them to break into the app and, in some cases, turn the phone into a spying machine.

The US House has barred its staff from using WhatsApp while allowing more secure alternatives like Signal and Apple’s iMessage.