Meta Suspends Employee Tracking Program After Data Leak Exposes AI Training Program's Scope and Privacy Failures

Meta suspended its Model Capability Initiative (MCI) on June 22–23, 2026 after a security misconfiguration exposed a massive trove of sensitive employee data to the entire company, an incident internally classified as SEV 2 (second-highest severity, behind only SEV 0 and SEV 1) . The pause came after months of internal backlash over the program, which tracked employee computer activity to train AI agents — but it was the data leak, not the protests, that finally forced Meta's hand.

What caused the suspension

An employee flagged that MCI's backend databases — spanning over 45,000 database tables — had been left accessible to all Meta workers without proper access controls . The exposed data included:

• Employees' private conversations and chat transcripts
• Prompts and transcriptions from interactions with internal AI tools
• Performance management information
• Some reports indicate unencrypted tax and medical information may also have been captured

The leak was discovered before external parties accessed it, and Meta stated no improper access occurred . But the severity rating (SEV 2) prompted an immediate pause .

Program scope: What MCI actually collected

• Launch date: April 2026, under the broader Agent Transformation Accelerator (ATA) effort
• What it collected: Mouse movements, click locations, keystrokes, and periodic screenshots from designated work applications and websites
• Who was affected: US-based rank-and-file employees; participation was effectively mandatory
• Purpose: To train Meta's AI agents on how white-collar knowledge work is actually performed, capturing real workflows to improve AI automation
• Planned expansion: Internal documentation showed Meta intended to later extend collection to non-US employees, raising EU/GDPR concerns

Earlier internal opposition

Backlash was immediate and sustained from the program's April launch:

• Petition: Over 1,500 employees signed a petition objecting to the mandatory tracking
• CTO message: CTO Andrew Bosworth reportedly sent employees a blunt message that the program was mandatory
• Initial concessions (early June): Meta scaled back MCI — employees were given the ability to pause collection for up to 30 minutes at a time, and some data categories were excluded
• Privacy and legal concerns: Employees raised complaints about potential violations of European GDPR regulations, since communications involving EU-based colleagues could be swept up

Privacy concerns and regulatory risk

The program captured data from designated work apps and websites, but Reuters reported that Meta acknowledged it could also capture communications involving non-US employees . EU privacy regulators began examining whether MCI violated GDPR requirements around consent, data minimization, and employee monitoring .

The data leak itself — unencrypted databases containing private conversations and performance records — was the culminating event that forced the suspension . It turned months of internal privacy complaints into a concrete data breach that Meta could not ignore.

Bottom line

MCI was suspended not because of the employee backlash alone, but because a security configuration failure exposed the program's deeply sensitive data trove to the entire company. The incident turned months of internal privacy complaints into a concrete data breach, forcing Meta to halt the initiative while it investigates.