Skip to content

Meta Pauses Employee Monitoring After Security Gaps Exposed

Bottom line: Meta collected highly sensitive employee data (keystrokes, screen content, private conversations) with insufficient access controls, leading to repeated unauthorized access incidents.

Meta has temporarily halted its employee data collection program for AI training after multiple security breaches. Unauthorized employees were able to access sensitive data despite security measures in place—and this recurred even after the vulnerability was allegedly patched.

Since April 2024, Meta operated the Model Compatibility Initiative (MCI) program, which captured employee computer interactions: mouse movements, click positions, keystrokes, and screen content. The collected data included complete AI prompts, transcriptions, private conversations, and performance metrics. Employees could not opt out of the program. Meta justified the data collection by stating that employees were the best training source for AI systems designed to replicate human computer behavior.

On June 18, 2024, Meta discovered that unauthorized employees had accessed MCI data. According to Stephane Kasriel, Vice President of AI Research at Meta, the security vulnerability was closed within four hours. However, the fix did not hold—access had to be restricted again afterward. Security experts criticized not primarily the monitoring program itself, but the insufficient protective measures. Karianne Michelle of consulting firm Acceligence diagnosed a classic organizational problem: “The policy decision and technical implementation took place in two different rooms that were not fully synchronized.”

Fritz Jean-Louis, Principal Cybersecurity Advisor at the Info-Tech Research Group, sees this as a typical error in AI data strategy: “Capturing high-risk telemetry without sufficiently mature access control mechanisms. At this scale, a single misconfiguration leads to systemic risks.” Carmi Levy, independent technology analyst, emphasizes that the lack of encryption and access controls represents the core risk—regardless of whether data was actually misused.

An additional risk factor was the data classification: Although the collected information was highly sensitive, it was not classified as personally identifiable information (PII) under strict compliance standards. This may have led Meta to the mistaken assumption that weak protective measures would suffice. Meta stated that the program is paused and the company is currently investigating how sensitive employee data could have been so widely distributed.


Source: www.csoonline.com · Published June 24, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.

Share on: