In a recent development, a former employee of WhatsApp, A. Baig, has raised serious allegations concerning data privacy breaches within the company. The core of the issue appears to be improper access by engineers to user data, a matter underscored in a letter outlining several compliance shortcomings. These include failing to maintain an inventory of user data, as mandated by privacy statutes in California, the European Union, and the Federal Trade Commission (FTC) settlement. Further deficiencies highlighted were the inability to locate data storage units, lack of monitoring systems for user data access, and an overall failure to detect data breaches — issues that have become standard practices for many other technology firms.
In a detailed letter directed to Meta CEO Mark Zuckerberg and General Counsel Jennifer Newstead, Baig referenced apparent violations of both the FTC settlement and Securities and Exchange Commission (SEC) regulations that demand timely reporting of security vulnerabilities. He further claimed that retaliatory actions were taken against him by Meta leadership, alleging that the company’s security team had fabricated reports to obscure decisions not to mitigate data exfiltration risks.
The lawsuit initiated by Baig cites violations of whistleblower protections under the Sarbanes-Oxley Act of 2002. Alarmingly, it reports that as many as 100,000 WhatsApp accounts were allegedly hacked each day in 2022, escalating to approximately 400,000 users being locked out of their accounts daily due to unauthorized takeovers.
Additionally, Baig expressed concerns about data scraping practices on the platform, pointing out that WhatsApp had not instituted robust protections similar to those found in competitors such as Signal and Apple Messages. His projections estimated that circa 400 million user profiles were being improperly accessed daily, often for fraudulent account impersonations. To address these vulnerabilities, Baig proposed measures to restrict user access to profiles unless specific conditions were met, such as mutual contact or prior messaging. He contended that WhatsApp was leaking sensitive information on millions—if not billions—of users daily and that the company was underreporting scraping incidents to the FTC and other regulatory bodies. Furthermore, he highlighted the stronger protective measures against profile scraping adopted by messaging apps like iMessage and Signal.
However, Meta’s response to Baig’s recommendation was dismissive, arguing that such changes would impede the platform’s user growth.
In correspondence regarding the situation, a WhatsApp spokesperson characterized Baig’s claims as a familiar narrative where a former employee, dismissed for performance issues, distorts facts about the firm’s operational integrity. The spokesperson emphasized their commitment to user privacy and security amidst a challenging digital landscape.
This situation depicts a potential exploitation of various MITRE ATT&CK tactics, particularly focusing on initial access and persistence. The ability of malicious actors to leverage social engineering techniques may facilitate unauthorized user account access, while persistent threats can enable continuous exploitation of revealed vulnerabilities. Furthermore, the reported failure to adequately monitor user data access could indicate a lack of proper logging and visibility measures, thus exacerbating the risk posed by these alleged breaches.
With issues surrounding data security continuing to escalate, business owners must remain vigilant, reviewing their security protocols and practices to mitigate similar risks within their operations.
