The program built to watch Meta's employees ended up watching out for no one. Meta has paused its controversial Model Capability Initiative (MCI) — a mandatory AI training program that records employee keystrokes, mouse clicks, and screen content on company laptops — after a security failure exposed workers' most sensitive personal data to anyone inside the company.
The breach, independently confirmed by both Business Insider and WIRED through internal documents and employee sources, left data sitting unsecured across 45,000 internal data tables — large structured storage units the company uses to organize its operational data.
That exposed information included full AI interaction transcripts, private employee conversations, performance records, and detailed behavioral logs. In other words, nearly everything the program was collecting.
Meta internally rated it a SEV 2 on its severity scale of 0 to 5 — with 0 being the most catastrophic.
A Textbook Access Control Failure
Meta's Chief Technology Officer Andrew Bosworth pinned the cause directly: misconfigured ACLs, or access control lists — the permission rules that determine which employees can read, write, or modify specific company data. In an internal post viewed by WIRED, Bosworth wrote that MCI's implementation "had fallen short of the standards outlined in its privacy review," and that MCI would track down every unauthorized data access.
That admission is particularly damaging. Just two months ago, Bosworth had personally reassured nervous employees that MCI used identical protection standards to Meta's other sensitive internal datasets — that it was, in his own words, "tightly controlled." Those guarantees dissolved overnight.
1,600 Employees Said This Would Happen
The leak lands during what insiders describe as a sustained morale crisis at Meta. More than 1,600 employees had already signed a formal internal petition against MCI, explicitly warning that "collecting this data introduces both security and regulatory risks for Meta, including the potential for breaches and unauthorized disclosure."
One engineer published a widely circulated internal note calling the screen-scraping initiative an invasion of privacy and outright exploitation.
Employee reaction this week was immediate and furious. "I am incensed," one staffer wrote in an internal forum. "The fact that this data wasn't locked down as originally promised is super frustrating." Someone else posted a meme from The Office: "0 days since our last nonsense."
This incident also doesn't exist in isolation. Last month, a flaw in Meta's AI chatbot allowed attackers to compromise multiple Instagram accounts. In March, a rogue internal AI agent caused a separate severe incident.
The Regulatory Heat Is Already On
Meta operates under a US Federal Trade Commission consent decree set to run until 2040 — a legally binding requirement to maintain rigorous data security practices following prior privacy violations. Whether this breach triggers federal scrutiny is an open question, but the timing is brutal: Meta recently began offloading portions of its own internal privacy reviews to AI tools, and it's still unclear if that played any role here.
Meta has paused MCI indefinitely pending investigation, stating it has "no indication that any data was improperly accessed." For employees whose keystrokes, screen contents, and private conversations sat exposed on company-wide servers, that distinction may feel academic.
For anyone working at a company that runs mandatory monitoring software: always review your employer's privacy policy, understand what data is being collected, and flag concerns through formal internal channels — the 1,600 employees who signed Meta's petition got it right on paper, even if the company didn't listen fast enough.