Meta’s employee-tracking tool just ran into the problem workers feared.
The company is pausing MCI, an internal program that records employee computer activity for AI training, after a security issue exposed some of the data it collected, Reuters and WIRED reported. The incident raises a larger question for companies racing to train workplace AI systems: how much employee activity can they collect before the monitoring itself becomes a security risk?
The pause follows months of internal concern over keystroke and screen monitoring, which can capture sensitive material simply because it passes through a company device.
Records included prompts, transcripts, and ratings
Internal documentation reviewed by Reuters listed several categories of affected records, including “full prompts and transcriptions, private conversations, people & performance data, DSS sensitivity ratings (1-4).”
The list suggests the records went well past basic activity logs, though the documentation did not spell out every category in detail.
Company spokesperson Tracy Clayton said Meta had “no indication at this time” that employees improperly accessed the data, adding that the program was being paused while the investigation continues.
No timeline was given for when MCI might return.
Meta’s first fix did not hold
Inside Meta, the issue quickly moved from an internal security notice to employee backlash. A Meta engineer said databases filled with MCI-gathered information had been accessible to anyone inside the company, WIRED reported.
Critical comments soon poured into internal forums. A former employee involved in earlier pushback against MCI called the lapse “a mess,” saying workers had warned leadership about risks to employee and customer data.
Stephane Kasriel, a Meta vice president overseeing AI research, later said the issue was discovered on June 18 and addressed within four hours. The first fix did not hold, and access to the data had to be further locked down.
“We will only re-enable MCI when we are confident in the effectiveness of our data protection controls,” Kasriel said.
Broad monitoring created a larger target
MCI’s risk started with its reach. Earlier reporting found that the tool could pull data from more than 200 apps and websites and capture emails or direct messages sent to US-based employees, including messages from colleagues outside the US.
The program also sits inside a larger AI overhaul at Meta, where CEO Mark Zuckerberg has been trying to reshape the company around agents that can take on more workplace tasks.
Employees had already raised concerns about what broad collection might sweep up on work devices. “I have accessed both personal tax and medical information through my work computer, as have many thousands of employees,” one worker wrote in an internal comment cited by Reuters.
While there is no confirmation that those details were in the exposed records, the warning showed how quickly routine work activity can brush up against personal information.
Privacy advocates had also warned that capturing communications from European employees, even indirectly, could raise GDPR issues. Once workplace behavior is collected for AI training, every app, message, and screen becomes part of the security burden.
DeepMind’s AI Control Roadmap provides enterprises with a clearer lens for assessing agent safety before deployment.