Meta Exposed Employee Tracking Data Internally — Now Pauses Controversial AI Training Program

The company’s controversial AI training initiative, which logged keystrokes and screen activity from workers’ laptops, exposed data across 45,000 internal database tables before anyone noticed.

Meta left a large pool of sensitive data — collected from employees’ own work laptops — accessible to anyone inside the company, according to an internal security notice and three current employees with direct knowledge of the situation. The company has now paused the program that collected the data while it investigates what went wrong.

The exposed information was gathered as part of Meta’s Model Capability Initiative (MCI), a deeply unpopular internal program launched in April that recorded keystrokes, mouse clicks, and on-screen content from the corporate laptops of US-based staff. The stated goal was to train artificial intelligence systems to operate software the way a skilled human user would.

The internal security notice revealed that data across roughly 45,000 internal database tables had been left open. Those tables are said to have contained highly personal material, including complete AI prompt histories and transcriptions, private conversations between employees, and performance data linked to individual workers.

“We have carefully designed this program with privacy safeguards and while we have no indication at this time that any data was improperly accessed by Meta employees, we’re pausing it while we investigate.”
— Meta spokesperson Tracy Clayton

The breach was quickly seized upon by employees who had already been vocal critics of the tracking program. In internal forums, workers questioned how Meta’s privacy review processes had failed to prevent the misconfiguration, and asked whether everyone whose data was potentially exposed would be given a chance to hear directly what happened. In one forum known for employee humor, a staff member posted a meme from The Office — a character holding a sign reading “0 days since our last nonsense.”

Meta’s chief technology officer, Andrew Bosworth, addressed employees directly in an internal post, acknowledging that the program’s rollout fell short of the privacy standards it was supposed to meet. He stated that access control lists had been misconfigured and that every data access needed to be traced and understood. This stands in notable contrast to comments Bosworth made just months ago, when he reassured worried employees that the initiative was tightly controlled and held to the same protective standards as Meta’s most sensitive internal datasets.

The security incident has poured fuel on a fire that was already burning. Last month, more than 1,600 Meta employees signed an internal petition warning that the surveillance program introduces both security and regulatory risks for Meta, including the potential for breaches and unauthorized disclosure. One engineer circulated a widely read internal memo arguing that having their laptop screen scraped without meaningful consent felt like a violation of their privacy — and amounted to exploitation.

Meta’s leadership had pushed back against that criticism. In a company-wide meeting last month, CEO Mark Zuckerberg defended the program by arguing that AI models learn best by watching highly capable people work, and that Meta’s workforce represented a higher quality data source than contractors hired specifically for the task. The comments did little to quiet the discontent.

In response to mounting pressure, Meta had already begun softening the program’s edges in recent weeks — introducing new exemptions that allowed employees to briefly disable monitoring during sensitive personal tasks, such as scheduling a medical appointment. Critics within the company say those half-measures were insufficient and have continued to push for a full halt.

The timing of the breach is particularly uncomfortable for Meta given its regulatory history. The company operates under a US Federal Trade Commission consent decree that runs until 2040, requiring it to maintain robust processes to prevent exactly this kind of data exposure. Current and former employees have previously described those requirements as outdated and poorly enforced.

The incident is also another blow to employee morale at a company already struggling on that front. Meta has been through several rounds of mass layoffs, a sweeping internal reorganisation, and a relentless pivot toward AI development. Earlier this year, the company reassigned roughly 6,500 employees into AI-focused roles — a move that many staff members have described as demoralising, with some characterising their new responsibilities as soul-crushing.

Bosworth acknowledged the communication breakdown in a memo to staff last week, calling the company’s handling of the AI reorganisation “atrocious” and pledging clearer updates and the return of some in-office perks. Whether those gestures — and now the pause on surveillance — will be enough to repair the relationship between Meta’s leadership and its workforce remains to be seen.

Sources familiar with the matter say the security incident has since been marked as resolved internally. But the questions it has raised — about oversight, consent, and whether Meta can be trusted with its own employees’ data — are unlikely to disappear as quickly.