Dado Ruvic/Reuters
- A former WhatsApp security lead sued Meta, alleging ignored privacy risks and retaliation.He alleged that Meta's performance review system prioritized output over addressing security flaws.Lawmakers have been demanding answers from Meta on potential privacy violations and user harm.
A former WhatsApp security chief alleges that Meta's obsession with performance reviews left millions of users vulnerable and also cost him his job.
Attaullah Baig, WhatsApp's former head of security, sued Meta earlier this month, alleging that the company ignored major privacy risks and that he faced retaliation for his cybersecurity disclosures. He said hackers were taking over more than 100,000 accounts a day and that thousands of employees had access to sensitive user data like profile photos, locations, and contact lists, leaving millions of users exposed.
At the heart of Attaullah's complaint is a striking claim: that Meta's internal system used to evaluate how employees perform, known as the Performance Summary Cycle (PSC), was twisted to punish him.
In an interview with Business Insider, Baig emphasized what he alleged in his lawsuit: that his reviews consistently exceeded expectations, and that he was in line for a promotion and additional equity until he raised concerns about WhatsApp users' security.
"It was almost immediate," he said of the alleged retaliation.
In response to questions about Baig's allegations, WhatsApp spokesperson Zade Alsawah said, "These are a mixture of distorted and false claims that misrepresent the hard work of our team. We pride ourselves in building on our strong record of protecting people's privacy."
The complaint says that Baig tried to warn Meta's top leaders, including CEO Mark Zuckerberg, that the security weaknesses harmed users. In response, he contends, his managers retaliated and let him go in February as part of Meta's performance-based layoffs earlier this year. He alleges that he was included in those because he spoke out.
In the suit, Baig claims that Meta's actions violated a privacy settlement it reached with the Federal Trade Commission in 2019 and securities laws that require companies to disclose risks to shareholders. Baig filed a complaint with the Occupational Safety and Health Administration in April against Meta for alleged retaliation.
"We insist on multiple perspectives and rigorous debate because it helps us continue to build and launch many of our industry's leading security features and protections," Alsawah said.
He added that the Department of Labor had dismissed Baig's complaint. Business Insider has seen a copy of the department's letter dismissing the complaint.
Meta's performance culture
Meta's culture has long revolved around the PSC, a system that employees say dictates promotions and layoffs. Earlier this year, the company laid off thousands of employees who were labeled "low performers" in their PSC with little warning, including Baig.
Several parts of Baig's lawsuit say that Meta's PSC culture encourages employees to focus on surviving performance reviews rather than genuinely protecting users. It says that employees concentrate on "busy work" and quick, temporary solutions to meet performance review expectations.
"This company runs on PSC," one engineering manager at WhatsApp is quoted as saying in the lawsuit.
In another example, Baig's complaint says a team acknowledged its work wasn't about addressing security threats at all. It said the real aim was to optimize for the PSC, boost scores, and avoid being flagged as underperformers.
Baig's allegations have drawn scrutiny from lawmakers. Last week, three senior Republican lawmakers — Sens. Charles Grassley of Iowa, Josh Hawley of Missouri, and Marsha Blackburn of Tennessee — sent a letter to Zuckerberg demanding responses to Baig's claims about security and privacy flaws on WhatsApp. They asked whether Meta had violated a settlement with federal regulators by allowing major security vulnerabilities to persist without informing shareholders and the public.
"Meta's culture is to attack the messenger, not the message," Baig told Business Insider. "The reason this whole thing is big is because of user harm."
WhatsApp's reward structure
The filing says that WhatsApp's reward structure pushed engineers to churn out large amounts of code to keep the app appearing functional, rather than to fix deeper problems. Because PSC scores depended on visible output, engineers were effectively discouraged from tackling entrenched cybersecurity flaws, which didn't show up in review metrics, the lawsuit said.
The suit alleges that employees were rewarded for making systems artificially complex. Engineers and product managers often copied features from rivals like Signal, Telegram, and iMessage, adding layers of unnecessary work that padded out their evaluations.
The complaint adds that server engineers repeatedly misconfigured and reconfigured systems "thousands of times per year," not to strengthen protections but to generate the activity needed to show progress. The churn itself — not the outcome — became the path to promotions and job security.
The lawsuit also claims that employees went beyond busy work to massage the numbers themselves without fixing the underlying problems. Baig contends that employees manipulated internal "user harm" metrics — figures meant to track how many WhatsApp accounts were being hacked or compromised — around review periods to make the numbers look lower, creating the appearance of progress and boosting performance scores without fixing the underlying problems.
In one example, Baig says a security feature he designed, called Post-Compromise Account Recovery, was rolled back because implementing the fix would have embarrassed other company leaders by exposing gaps in their teams' work and dragging down their performance scores.
"Regarding his claims about features he worked on being rolled back: it takes effort to make sure ideas work at the scale in which we operate," Alsawah, the Meta spokesperson, said in a statement. "This is a feature that in fact is available to users today."
Meta's golden handcuffs
Meta's lavish pay packages, Baig said, kept many employees from challenging the culture, even when they disagreed with how users were treated. He said his own termination cost him tens of thousands of dollars in raises and bonuses, plus roughly $600,000 in equity.
"Meta has a very good campus and benefits," he told Business Insider. "In many ways, it's the best company to work at. But you have to agree with their philosophy of treating users as pure numbers on their dashboard."
Baig's allegations come against the backdrop of a company increasingly defined by performance ratings. Earlier this year, Meta cut about 5% of its workforce — nearly 4,000 people — after managers were instructed to slot 12% to 15% of their teams into the bottom review categories, ensuring a pool of so-called low performers that could be targeted for cuts.
Midyear reviews tightened the screws further. Meta told managers to place 15% to 20% of staff in "below expectations," up from 12% to 15% a year earlier, expanding the ranks of underperformers, Business Insider reported in May.
Have a tip? Contact Pranav Dixit via email at pranavdixit@protonmail.com or Signal at 1-408-905-9124. Use a personal email address, a nonwork WiFi network, and a nonwork device; here's our guide to sharing information securely.
