Meta Accused of Cult-Like Culture and Security Negligence in Whistleblower Lawsuit

WhatsApp Security Head Alleges Cover-Up and Restricted Dissent

In a stunning federal lawsuit, a former high-ranking security official at WhatsApp has painted a grim picture of the social media giant, Meta, describing its internal culture as a "cult" where questioning leadership is stifled and critical cybersecurity vulnerabilities are allegedly ignored and concealed. Attaullah Baig, who led WhatsApp's security division starting in 2021, claims that despite Meta's public pronouncements about the privacy and security of its encrypted messaging service, used by an astonishing 3 billion users monthly, the reality within the company is far more perilous.

Systemic Security Lapses Revealed

Baig's complaint, filed in the U.S. District Court for the Northern District of California, details a disturbing landscape of security oversights. Shortly after his appointment, Baig uncovered what he termed "significant gaps" in the company's cyber defenses. During crucial "red team" tests designed to identify and rectify weaknesses, he discovered that approximately 1,500 engineers within WhatsApp possessed virtually unfettered access to user data. This included sensitive personal information protected by a previous $5 billion settlement between Facebook (now Meta) and the U.S. Federal Trade Commission (FTC). Baig asserts that these engineers could copy or move data without any oversight or audit trails, a direct contravention of the FTC agreement.

Corporate Culture: A "Cult" of Compliance?

The lawsuit vividly portrays a corporate environment where dissent is not tolerated. Baig described Meta's culture as akin to a "cult," where challenging decisions made by superiors is implicitly forbidden. This stifling atmosphere, according to Baig, prevented timely and effective solutions to the identified security risks. He attempted to address these fundamental data management issues by proposing a robust data classification and handling system designed to restrict employee access and enhance information security, a proposal he considered the "first real step" toward resolving deep-seated problems.

Escalating Concerns and Unanswered Warnings

As Baig persisted in raising alarms, his concerns expanded beyond mere data access. He highlighted a lack of comprehensive user data inventory—a requirement under California, EU, and FTC regulations—uncertainty about where certain data was stored, and the absence of essential monitoring systems for access and leak detection. In a desperate bid to force action, Baig reportedly sent a detailed letter to Meta CEO Mark Zuckerberg and General Counsel Jennifer Newstead, outlining probable violations of FTC and Securities and Exchange Commission (SEC) regulations, which mandate reporting of security vulnerabilities. The lawsuit also alleges Baig faced retaliation and that Meta's central security department deliberately "falsified reports" to downplay the severity of data leak risks.

Alarming Attack Statistics and Scraped Data

The scale of the threat is starkly illustrated by statistics Baig presented. In 2022, an estimated 100,000 users reportedly lost account access daily due to hacking incidents. By the following year, this alarming figure had skyrocketed to 400,000 per day. A particularly vexing issue highlighted is the rampant scraping of user profile data. Baig warned that WhatsApp lacked basic protections found in competing platforms like Signal and Apple Messages. He estimated that photos and names from roughly 400 million accounts were being copied daily, fueling sophisticated scams and profile impersonation schemes. Baig's proposed solution—restricting profile visibility to existing contacts, message recipients, or group chat members—was reportedly rejected by Meta, citing potential harm to user base growth.

Meta's Rebuttal: A Familiar Narrative?

Meta has vehemently denied all allegations, characterizing Baig's claims as a "familiar scenario" from a former employee terminated for poor performance. In a public statement, WhatsApp stated, "Security is a constant battle, and we are proud of our privacy protections." The company further clarified that the U.S. Department of Labor had previously dismissed Baig's whistleblower complaint. Meta asserted that Baig's role was that of a software development manager, not a senior security architect, and that his performance did not meet expectations, a conclusion corroborated by several senior engineers. The company also pushed back against the notion of a culture that suppresses feedback, emphasizing their commitment to open discussions and diverse approaches to developing advanced security features. Meta suggested that Baig's complaints were vague and duplicated existing efforts by other teams.