Meta has suspended its internal Model Capability Initiative (MCI) following a major security incident. The program, designed to improve AI models, collected sensitive behavioral data from employees, including keystrokes and mouse movements, which resulted in a leak of confidential information within the corporation.
What Happened
As a result of the data leak, classified as a SEV 2 incident, private employee communications, performance data, and activity transcriptions became accessible within the company. The MCI program, launched in April 2026, used high-frequency keystroke and mouse movement logs to train models, but an architectural failure in access rights management turned this data into a critical vulnerability.
Context
The MCI initiative aimed to use highly detailed behavioral data to enhance model quality. However, collecting raw logs without proper isolation created a massive attack surface, where valuable training datasets effectively became a tool for compromising personnel privacy.
Why It Matters for the Industry
This incident highlights the critical risks of using 'raw' behavioral logs to train corporate LLMs. For the industry, it serves as a signal of the need to transition toward Privacy-Preserving Machine Learning (PPML) methods, the use of synthetic data, or the implementation of strict Differential Privacy protocols to avoid legal consequences and the erosion of trust in AI deployment within large tech companies.
Why It Matters for Users
For regular users and employees, this case serves as a warning that monitoring tools created to improve AI can become sources of personal information leaks. It underscores the importance of strict control over exactly which behavioral data is collected and who has access to it.
Sources
Author
Look at AI, Editorial Team