Whistleblower warns of WhatsApp security lapses
Add Axios as your preferred source to
see more of our stories on Google.
Photo illustration: Allie Carl/Axios; Photo: The Washington Post/Getty Images
A former WhatsApp security leader filed a lawsuit Monday alleging that the Meta-owned messaging service neglected major security and privacy flaws that left users' data and accounts vulnerable.
Why it matters: The whistleblower complaint — the latest in a series against the tech giant — alleges that those security flaws resulted in more than 100,000 accounts being hacked every day.
- Many people turn to WhatsApp, which provides end-to-end encrypted messaging, for the added privacy benefits.
Zoom in: Attaullah Baig, former security executive at WhatsApp, claims in the lawsuit that about 1,500 engineers had unrestricted access to sensitive user data and that the company did not have adequate internal auditing and monitoring tools to see who accessed what data or to detect data breaches.
- The lawsuit, which was first reported by the New York Times, also alleges that he faced retaliation and was eventually fired for sharing his concerns with top executives, including Meta CEO Mark Zuckerberg.
Between the lines: Baig joined WhatsApp in January 2021, a year and a half after Meta had agreed to a privacy settlement with the Federal Trade Commission that called for routine internal audits and stronger privacy practices.
- Baig also shared his concerns with leaders at WhatsApp and across Meta in August 2022, following two cybersecurity incidents affecting WhatsApp users, according to the complaint.
The other side: "Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team," Meta spokesperson Andy Stone said in a statement Monday.
- Carl Woog, VP of communications at WhatsApp, also said in a statement to Axios that, "Security is an adversarial space and we pride ourselves in building on our strong record of protecting people's privacy."
- Meta said that the claims in the New York Times story were not "fully validated" and that Baig was a software engineering manager who left his role due to poor performance.
- The company pointed out that Baig also filed a complaint with the U.S. Department of Labor, which dismissed his concerns after an investigation.
What's next: The U.S. District Court for the Northern District of California has scheduled an initial case management conference for Dec. 11.
