Thomas Fuller | SOPA Images | Lightrocket | Getty Images
An ex-Meta employee sued the social media firm on Monday over allegations that its WhatsApp messaging service contained “systemic cybersecurity failures” that doubtlessly compromise person privateness.
Attaullah Baig, WhatsApp’s former head of security, alleged that Meta retaliated towards him after he notified leaders, together with CEO Mark Zuckerberg, of security points on the messaging app.
The suit, filed in U.S. District Court for the Northern District of California, claims that after becoming a member of WhatsApp in 2021, Baig discovered security flaws that violated federal securities legal guidelines and Meta’s authorized obligations associated to a 2020 privateness settlement with the Federal Trade Commission.
During a check performed with Meta’s central security crew, Baig alleged he “discovered that approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information” and that the staff “could move or steal such data without detection or audit trail.”
A Meta spokesperson disputed Baig’s allegations in an announcement, and downplayed his function and rating on the firm.
“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” the spokesperson wrote. “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”
Baig is being represented by the whistle blower group Psst.org and the legislation agency Schonbrun, Seplow, Harris, Hoffman and Zeldes.
Although the lawsuit does not declare that any person information was compromised, it says that Baig instructed superiors on a number of events that the cybersecurity failures posed a regulatory compliance threat. Some of the alleged security flaws embody WhatsApp’s failure to keep up a 24-hour security operations middle becoming of its measurement and scale, methods to watch person information entry and a “a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure.”
Baig’s attorneys declare within the suit that there have been a number of cases of his superiors criticizing his work, and mentioned that inside three days of his preliminary “cybersecurity disclosure,” he started receiving “negative performance feedback.”
In November, Baig notified the SEC of the alleged “cybersecurity deficiencies and failure to inform investors about material cybersecurity risks,” the suit says.
A month later, Baig despatched Zuckerberg the second of two letters, this time informing the CEO that he “had filed the SEC complaint” and that he was “requesting immediate action to address both the underlying compliance failures and the unlawful retaliation.”
In January, Baig then filed a criticism with the Occupational Safety and Health Administration, documenting “the systemic retaliation” he claims he acquired after the security disclosures, based on the lawsuit.
The following month, the criticism says Meta fired Baig, citing “poor performance” as a part of the corporate’s February spherical of layoffs affecting 5% of workers.
“The timing and circumstances of Mr. Baig’s termination establish clear causal connection to his protected activity, occurring in close temporal proximity to his external regulatory filings and representing the culmination of over two years of systemic retaliation for his cybersecurity disclosures and advocacy for compliance with federal law and regulatory orders,” the suit says.
Baig’s legal professionals mentioned that he submitted a discover to take away his SEC-related claims to federal court docket on Monday, and that he has “exhausted his administrative remedies prior to bringing this action.”
WATCH: Meta pushes back on ban on WhatsApp on devices used by House of Representatives.
