Thomas Fuller | SOPA Images | Lightrocket | Getty Images

An ex-Meta employee sued the social media company on Monday over allegations that its WhatsApp messaging service contained “systemic cybersecurity failures” that potentially compromise user privacy.

Attaullah Baig, WhatsApp’s former head of security, alleged that Meta retaliated against him after he notified leaders, including CEO Mark Zuckerberg, of security issues at the messaging app.

The suit, filed in U.S. District Court for the Northern District of California, claims that after joining WhatsApp in 2021, Baig found security flaws that violated federal securities laws and Meta’s legal obligations related to a 2020 privacy settlement with the Federal Trade Commission.

During a test conducted with Meta’s central security team, Baig alleged he “discovered that approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information” and that the employees “could move or steal such data without detection or audit trail.”

A Meta spokesperson disputed Baig’s allegations in a statement, and downplayed his role and ranking at the company.

“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” the spokesperson wrote. “Security is an adversarial space, and we pride ourselves in building on our strong record of protecting people’s privacy.”

Baig is being represented by the whistle blower organization Psst.org and the law firm Schonbrun, Seplow, Harris, Hoffman and Zeldes.

Although the lawsuit doesn’t claim that any user data was compromised, it says that Baig told superiors on multiple occasions that the cybersecurity failures posed a regulatory compliance risk. Some of the alleged security flaws include WhatsApp’s failure to maintain a 24-hour security operations center fitting of its size and scale, systems to monitor user data access and a “a comprehensive inventory of systems storing user data, preventing proper protection and regulatory disclosure.”

Baig’s attorneys claim in the suit that there were multiple instances of his superiors criticizing his work, and said that within three days of his initial “cybersecurity disclosure,” he began receiving “negative performance feedback.”

In November, Baig notified the SEC of the alleged “cybersecurity deficiencies and failure to inform investors about material cybersecurity risks,” the suit says.

A month later, Baig sent Zuckerberg the second of two letters, this time informing the CEO that he “had filed the SEC complaint” and that he was “requesting immediate action to address both the underlying compliance failures and the unlawful retaliation.”

In January, Baig then filed a complaint with the Occupational Safety and Health Administration, documenting “the systemic retaliation” he claims he received after the security disclosures, according to the lawsuit.

The following month, the complaint says Meta fired Baig, citing “poor performance” as part of the company’s February round of layoffs affecting 5% of staff.

“The timing and circumstances of Mr. Baig’s termination establish clear causal connection to his protected activity, occurring in close temporal proximity to his external regulatory filings and representing the culmination of over two years of systemic retaliation for his cybersecurity disclosures and advocacy for compliance with federal law and regulatory orders,” the suit says.

Baig’s lawyers said that he submitted a notice to remove his SEC-related claims to federal court on Monday, and that he has “exhausted his administrative remedies prior to bringing this action.”

WATCH: Meta pushes back on ban on WhatsApp on devices used by House of Representatives.