The Indian American Whistleblower: An Alumnus of NIT Warangal and Former Head of Security at WhatsApp Sues Meta

In the gleaming corridors of Meta’s Menlo Park headquarters, Attaullah Baig thought he had found his dream job. As head of security for WhatsApp, the Indian American executive was responsible for protecting the digital conversations of three billion users worldwide. Instead, he claims he discovered a company that systematically ignored critical security flaws and retaliated against him for trying to fix them.

On Monday, Baig filed a bombshell lawsuit accusing Meta of endangering billions of WhatsApp users by ignoring major security and privacy vulnerabilities—allegations that have thrust the 40-something cybersecurity veteran into the spotlight as Silicon Valley’s newest high-profile whistleblower.

Baig’s path to this moment began decades ago at one of India’s most prestigious engineering institutions. The National Institute of Technology Warangal (NIT-Warangal or NIT-W) is a public technical and research university located in Warangal, India. It is recognized as an Institute of National Importance by the Government of India. The foundation stone for this institute was laid by then Prime Minister Jawaharlal Nehru in October 1959, the first in the chain of 31 NITs (formerly known as RECs) in the country.

Like many of his generation of Indian engineers, Baig leveraged his rigorous technical education at NIT Warangal as a springboard to America’s technology sector. According to Crunchbase has deep expertise in payments, fraud, e-commerce, data security, technology, etc. His career trajectory took him through some of America’s most security-conscious financial institutions.

Before joining Meta, Baig worked in cybersecurity roles at PayPal, Capital One and other major financial institutions, according to court documents and multiple news reports. This background in financial services—where regulatory compliance and data protection are paramount—would later inform his alarm at what he discovered inside WhatsApp.

The Dream Job Turns Nightmare

Baig joined WhatsApp in January 2021 as head of security, according to The New York Times. It seemed like the perfect role for someone with his background and ambitions. Baig said in the interview that working at Meta had been his “dream job” because of the company’s scale and the ability to solve problems that affected billions of users.

But shortly after starting, Baig conducted what’s known in cybersecurity circles as a “red-teaming” exercise—where employees pose as attackers to test system vulnerabilities. What he found, according to his lawsuit, was deeply troubling.

Roughly 1,500 WhatsApp employees had unrestricted access to sensitive user data, which was a violation of the company’s 2020 privacy settlement with the F.T.C., The New York Times reported, citing the lawsuit. The Guardian provided additional detail, noting that Baig discovered through internal security testing that WhatsApp engineers could “move or steal user data” including contact information, IP addresses and profile photos “without detection or audit trail.”

This wasn’t just a technical problem—it was a legal one. As part of the settlement with the F.T.C., Meta had agreed to stronger privacy practices that included regular independent auditing of its systems, limiting sharing of data and putting in place a clear and comprehensive data security program for its apps, according to The New York Times.

What followed was a pattern that would define Baig’s remaining years at the company. For over a year, Mr. Baig repeatedly tried to raise the issue to his supervisor, according to the suit, but was told to “focus on less critical application security tasks.”

The problems went beyond internal access controls. In October 2022, Baig documented a list of “critical cybersecurity problems” that he considered to be violating the F.T.C. order and securities laws, according to the suit. Meta was failing to address account hacking and wasn’t keeping track of all the data it was collecting on WhatsApp users, the suit claims.

In December, Baig informed Zuckerberg that he had filed a complaint with the S.E.C. stating that the company had failed to inform investors of cybersecurity risks, according to the suit.

According to the lawsuit, Baig documented that thousands of WhatsApp and Meta employees could gain access to sensitive user data including profile pictures, location, group memberships and contact lists. Meta, which owns WhatsApp, also failed to adequately address the hacking of more than 100,000 accounts each day and rejected his proposals for security fixes.

The scale of the alleged daily compromises was staggering. In an interview, Baig said that every day his team saw “real-world, actual harm happening,” such as “account compromises, scraping impersonation, journalists being targeted.”

Going to the Top

Frustrated by the lack of response from his immediate supervisors, Baig took his concerns to the highest levels of the company. He tried to warn Meta’s top leaders, including its chief executive, Mark Zuckerberg, that users were being harmed by the security weaknesses, according to the lawsuit.

In December, Baig informed Zuckerberg that he had filed a complaint with the S.E.C. stating that the company had failed to inform investors of cybersecurity risks, according to the suit.

The response, according to Baig’s allegations, was swift retaliation. His managers retaliated with threats of firing and withholding compensation, the suit claims. His performance reviews became more negative, and in February, he was fired.

Meta’s Defense

Meta has pushed back forcefully against Baig’s allegations. “Sadly, this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” said Carl Woog, a spokesman for WhatsApp. “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”

The Guardian reported additional details of Meta’s defense: The company emphasized that Baig left due to poor performance, with multiple senior engineers independently validating that his work was below expectations. Meta noted in a statement that the Department of Labor’s Occupational Safety and Health Administration dismissed Baig’s initial complaint, finding that it had not retaliated against him.

Baig’s lawsuit represents the latest in a series of whistleblower complaints against Meta. He is the latest whistle-blower to come forward accusing Meta — which also owns Facebook and Instagram — of wrongdoing related to privacy, child safety and the spread of disinformation on its main platforms.

The New York Times noted that on Monday, another whistle-blower organization, Whistleblower Aid, said six former and current Meta employees had disclosed to Congress and federal regulators that the company put children at harm on its virtual reality products.

Perhaps most notably, in late 2021, Frances Haugen, another former employee, testified before Congress that the company had knowingly created products that harmed teenagers, among other safety concerns, presenting thousands of pages of supporting internal documents to support her claims.

The Stakes

The implications of Baig’s allegations extend far beyond corporate governance. WhatsApp’s three billion users rely on the app’s promise of security and privacy, particularly its end-to-end encryption feature. Many of its three billion users turn to the app for its perceived security benefits, including encryption, which scrambles messages so they can be deciphered only by the sender and the intended recipient.

The lawsuit comes at a sensitive time for Meta’s relationship with regulators. In 2019, the company, then known as Facebook, agreed to pay a $5 billion fine and strengthen its privacy policies to settle charges that it had mishandled users’ information by allowing a British political consulting firm, Cambridge Analytica, to harvest data without permission.

That settlement included promises from the highest levels of the company. “Privacy is more central than ever to our vision for the future,” Zuckerberg said in a companywide meeting after the settlement was announced with the F.T.C. “And we’re going to change the way that we operate across the whole company, from the leadership down and the ground up. We’re going to change how we build products, and if we don’t, then we’re going to be held accountable for it.”

A Personal Reckoning

For Baig, the lawsuit represents both a professional duty and a personal reckoning. “There are just so many harms that the users face,” Mr. Baig said in an interview last week, adding that he had also alerted the F.T.C. and the Securities and Exchange Commission to his concerns. “This is about holding Meta accountable and putting the interests of users first.”

His view of his former employer has shifted dramatically. But now he thinks that “Meta treats its users like they are just numbers on some dashboard,” he said.

The case, filed in U.S. District Court for the Northern District of California, spans 115 pages of detailed allegations. In his whistleblower complaint, Baig is requesting reinstatement, back pay and compensatory damages, along with potential regulatory enforcement action against the company.

As the legal battle unfolds, Baig’s story represents more than just another corporate whistleblower case. It’s the tale of an Indian American engineer who rose through Silicon Valley’s ranks only to find himself challenging one of the world’s most powerful technology companies over the fundamental question of whether user privacy and security can coexist with corporate growth imperatives.

The outcome of his lawsuit may determine not just his own future, but the future of privacy protection for billions of users worldwide.

This story was aggregated by AI from several news reports and edited by American Kahani’s News Desk.