Ex-WhatsApp Security Chief Sues Meta, Calls Culture a “Cult”
▼ Summary
– Meta has heavily advertised WhatsApp’s privacy, claiming messages are encrypted and inaccessible even to the company.
– A former WhatsApp security head filed a whistleblower lawsuit alleging Meta ignored and concealed serious security and privacy flaws.
– The lawsuit claims Meta violated a $5 billion FTC settlement by failing to address these issues after being made aware of them.
– The whistleblower discovered that around 1,500 WhatsApp engineers had unrestricted access to user data, risking misuse without detection.
– Despite internal warnings and proposed fixes, Meta allegedly resisted changes due to a culture discouraging questioning of past decisions.
For months, global television audiences have been met with a steady stream of commercials from Meta, each one promoting the privacy and security of its WhatsApp messaging platform. These ads, featuring well-known actors and reassuring messages, insist that user conversations remain completely confidential, unseen and unheard by anyone, including the company itself. Yet a new federal lawsuit tells a starkly different story, one that challenges these very claims.
The legal complaint, filed in U.S. District Court for the Northern District of California, comes from Attaullah Baig, the former head of security at WhatsApp. His suit alleges that Meta was not only aware of significant security vulnerabilities but actively concealed them, potentially violating a historic $5 billion settlement previously reached with the Federal Trade Commission. Meta has publicly denied these accusations.
According to the filing, Baig uncovered what he describes as systemic cybersecurity failures shortly after stepping into his leadership role in 2021. During a red-team exercise intended to identify and resolve security gaps, he discovered that approximately 1,500 engineers within WhatsApp had what the suit calls “unrestricted access to user data.” This level of access, the complaint argues, allowed personal information, including data protected under the FTC order, to be moved or taken without leaving any detectable trace.
Beginning in September 2021, Baig repeatedly alerted his superiors that such broad employee permissions likely breached the 2019 FTC agreement. He drafted a formal document urging the WhatsApp privacy infrastructure team to adopt a data classification and handling system designed to limit internal access and better secure stored user information. This proposal, the suit states, was the first real effort to tackle what Baig viewed as fundamental flaws in data governance.
The complaint goes further, alleging that Meta’s internal culture resembled a “cult” where employees were discouraged from questioning past decisions, especially those approved by higher-ranking officials. Despite escalating his concerns to senior leadership over the following years, Baig claims his warnings were largely ignored, leaving user data exposed to what he considered serious and ongoing risks.
(Source: Ars Technica)
