HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Meta Pauses Employee‑Tracking Program After Internal Review Finds Broad Access to Keystroke & Screen‑Capture Data

Meta halted its Model Capability Initiative after an internal review revealed that granular keystroke and screen‑capture data collected from employee laptops were accessible to thousands of internal users. The exposure highlights SOC 2 access‑control gaps that any organization must address to maintain audit readiness.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 malwarebytes.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
malwarebytes.com

Meta Pauses Employee‑Tracking Program After Internal Review Finds Broad Access to Keystroke & Screen‑Capture Data

What Happened — Meta’s internal “Model Capability Initiative” collected granular keystrokes, mouse movements, and live screenshots from employee laptops to train AI models. An internal security review discovered that the resulting data sets were accessible to thousands of internal users far beyond the intended audience, prompting the company to pause the program.

Why It Matters for Compliance & Audit Readiness

  • The incident illustrates a classic SOC 2 Access Control failure: data was over‑shared without documented least‑privilege rules or regular access‑review evidence.
  • Continuous‑compliance programs require auditable controls (CC6.1, CC6.2) that restrict who can view sensitive employee‑activity data and prove that those restrictions are enforced.
  • The episode underscores the need for formal Security Awareness Training and clear policy communication when deploying workplace‑monitoring tools.

Who Is Affected — Large technology and SaaS enterprises that run internal analytics or AI‑training pipelines on employee‑generated data; any organization that monitors employee workstations.

Recommended Actions

  • Map the data‑collection workflow to SOC 2 Access Control criteria (CC6.1‑CC6.3) and document the intended audience.
  • Implement a least‑privilege matrix, enforce role‑based access, and schedule automated quarterly access‑review audits.
  • Update employee‑monitoring policies to include explicit consent, retention limits, and a clear opt‑out mechanism where legally required.
  • Conduct targeted security‑awareness sessions covering the risks of over‑collection and data‑handling best practices.

Source: Malwarebytes Labs – Meta pauses controversial employee‑tracking program after security review

Technical Notes

  • Attack vector: Misconfiguration of internal data‑access permissions; no external exploit required.
  • Data types exposed: Real‑time keystrokes, mouse clicks, full‑screen captures, AI prompts, transcriptions, and performance‑related information.
  • Root cause: Lack of granular RBAC and insufficient audit of data‑table permissions.
📰 Original Source
https://www.malwarebytes.com/blog/news/2026/06/meta-pauses-controversial-employee-tracking-program-after-security-review

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →