惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Hackread – Cybersecurity News, Data Breaches, AI and More
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
P
Proofpoint News Feed
V
Visual Studio Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
N
Netflix TechBlog - Medium
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 叶小钗
Cisco Talos Blog
Cisco Talos Blog
S
Schneier on Security
T
Threat Research - Cisco Blogs
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Hacker News
The Hacker News
Google DeepMind News
Google DeepMind News
Microsoft Security Blog
Microsoft Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
GbyAI
GbyAI
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
T
Tenable Blog
S
Secure Thoughts
T
Threatpost
V2EX - 技术
V2EX - 技术
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
罗磊的独立博客
P
Privacy & Cybersecurity Law Blog
Engineering at Meta
Engineering at Meta
小众软件
小众软件
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Y
Y Combinator Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cybersecurity and Infrastructure Security Agency CISA
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
H
Heimdal Security Blog
量子位
B
Blog

CSO Online

New malware turns Linux systems into P2P attack networks Poisoned truth: The quiet security threat inside enterprise AI Train like you fight: Why cyber operations teams need no-notice drills Die besten DAST- & SAST-Tools CISA mulls new three-day remediation deadline for critical flaws CISA pushes critical infrastructure operators to prepare to work in isolation CISOs step up to the security workforce challenge 10 Anzeichen für einen schlechten CSO Anthropic Mythos spurs White House to weigh pre-release reviews for high-risk AI models Security agencies draw red lines around agentic AI deployments The fake IT worker problem CISOs can’t ignore How CISOs should utilize data security posture management to inform risk Was ist ein Botnet? Human-centric failures: Why BEC continues to work despite MFA Just 34% of cyber pros plan to stick with their current employer Managing OT risk at scale: Why OT cyber decisions are leadership decisions 4 ways to prepare your SOC for agentic AI ‘Trivial’ exploit can give attackers root access to Linux kernel Bank regulator sounds warning over cybersecurity threat posed by AI models Dismantle implicit trust in OT networks, CISA tells critical infrastructure operators Max-severity RCE flaw found in Google Gemini CLI Stopping the quiet drift toward excessive agency with re-permissioning ODNI to CISOs on threat assessments: You’re on your own 10 wichtige Security-Eigenschaften: So setzen Sie die Kraft Ihres IT-Sicherheitstechnik-Teams frei Researchers unearth industrial sabotage malware that predated Stuxnet by 5 years AWS leans on prior ingenuity to face future AI and quantum threats What it takes to win that CSO role Third Party Risk Management: So vermeiden Sie Compliance-Unheil Critical Cursor bug could turn routine Git into RCE Securing RAG pipelines in enterprise SaaS What CISOs need to get right as identity enters the agentic era Stopping AiTM attacks: The defenses that actually work after authentication succeeds EDR-Software – ein Kaufratgeber Microsoft patched an ‘agent-only’ role that was not AI is reshaping DevSecOps to bring security closer to the code The 'manager of agents': How AI evolves the SOC analyst role 4 Wege aus der Security-Akronymhölle Autonome KI-Agenten: Strategien für die neue Bedrohungslage New US House privacy bills raise hard questions about enterprise data collection Scattered Spider co-conspirator pleads guilty Security-KPIs und -KRIs: So messen Sie Cybersicherheit Bitwarden CLI password manager trojanized in supply chain attack 3 practical ways AI threat detection improves enterprise cyber resilience The curious case of Sean Plankey’s derailed CISA nomination Google gets agent-ready for the Mythos age Google drafts AI agents secure systems against AI hackers CNAPP – ein Kaufratgeber Riddled with flaws, serial-to-Ethernet converters endanger critical infrastructure NFC tap-to-pay gets tapped by hackers Anthropic bets on EPSS for the coming bug surge SBOM erklärt: Was ist eine Software Bill of Materials? Thousands of Apache ActiveMQ instances still unpatched, weeks after an actively exploited hole discovered Prompt injection turned Google’s Antigravity file search into RCE Why identity is the driving force behind digital transformation Top techniques attackers use to infiltrate your systems today The thin gray line: Handala, CyberAv3ngers and Iran’s proxy ops Attackers abuse Microsoft Teams to impersonate the IT helpdesk in a new enterprise intrusion playbook CISOs reshape their roles as business risk strategists Copilot & Agentforce offen für Prompt-Injection-Tricks Claude Mythos – ist der Hype gerechtfertigt? Für Cyberattacken gewappnet – Krisenkommunikation nach Plan Critical sandbox bypass fixed in popular Thymeleaf Java template engine White House moves to give federal agencies access to Anthropic’s Claude Mythos Another Microsoft Defender privilege escalation bug emerges days after patch Palo Alto’s Helmut Reisinger sees a cyber sea change ahead as AI advances Positiv denken für Sicherheitsentscheider: 6 Mindsets, die Sie sofort ablegen sollten NIST cuts down CVE analysis amid vulnerability overload Was bei der Cloud-Konfiguration schiefläuft – und wie es besser geht The endless CISO reporting line debate — and what it says about cybersecurity leadership Behind the Mythos hype, Glasswing has just one confirmed CVE Insurance carriers quietly back away from covering AI outputs RCE by design: MCP architectural choice haunts AI agent ecosystem Critical nginx UI tool vulnerability opens web servers to full compromise Copilot and Agentforce fall to form-based prompt injection tricks The deepfake dilemma: From financial fraud to reputational crisis 7 biggest healthcare security threats The need for a board-level definition of cyber resilience Mallory Launches AI-Native Threat Intelligence Platform, Turning Global Threat Data Into Prioritized Action 13 Fragen gegen Drittanbieterrisiken April Patch Tuesday roundup: Zero day vulnerabilities and critical bugs 4 questions to ask before outsourcing MDR 5 trends defining the future of AI-powered cybersecurity EU regulators largely denied access to Anthropic Mythos China-linked cloud credential heist runs on typos and SMTP How AI is transforming threat detection The AI inflection point: What security leaders must do now Cyber-Inspekteur: Hybride Attacken nehmen weiter zu Anthropic’s Mythos signals a structural cybersecurity shift Seven IBM WebSphere Liberty flaws can be chained into full takeover Old Docker authorization bypass pops up despite previous patch Hacker Unknown now known, named on Europol’s most-wanted list The cyber winners and losers in Trump’s 2027 budget CMMC compliance in the age of AI Claude uncovers a 13‑year‑old ActiveMQ RCE bug within minutes Was CISOs von Moschusochsen lernen können Hackers have been exploiting an unpatched Adobe Reader vulnerability for months New ClickFix variant bypasses Apple safeguards with one‑click script execution Cloudflare ‘actively adjusting’ quantum priorities in wake of Google warning Patch windows collapse as time-to-exploit accelerates So geht Post-Incident Review
Meta pauses employee monitoring program after data protections fail
Evan Schuman · 2026-06-24 · via CSO Online

Poor data protection allowed employees to view everyone’s data, creating a trust issue.

An extensive program at Meta to gather a wide range of data from employees to train its AI model has been frozen after employees reportedly broke through its guardrails and accessed restricted data, and then did so again after Meta claimed to have fixed the vulnerability.

Whether or not the data collection by the $201 billion owner of Facebook was a good idea, analysts argue that the data protections deployed were woefully inadequate, given the extreme sensitive nature of the collected data.

“Meta had the resources to get it right, and yet they failed exponentially,” said Karianne Michelle, a director with consulting firm Acceligence. “That is what it looks like when the policy decision and the technical execution are happening in two different rooms that are not fully in sync. It is the kind of gap you see often enough at organizations under structural strain.”

Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group,  agreed.

“What we just observed from the Meta story is a classic failure mode in AI-era data strategy: collecting high-risk telemetry without equally mature access controls,” Jean-Louis said. “At that scale, a single misconfiguration turns internal data into a systemic exposure.”

The story, detailed in a Wired report, involved a program that Meta rolled out in April called the Model Compatibility Initiative (MCI), which collects computer inputs such as mouse movements, click locations, and keystrokes, as well as screen content, the story said. Meta employees were initially not allowed to opt out. 

The data collected included full prompts and transcriptions, private conversations, people and performance data, Wired said, adding, “Meta executives have repeatedly defended the data-gathering project, saying it was necessary to train AI systems to operate computer software the way humans do, and that employees were the best examples for the artificial intelligence to learn from.”

Wired also quoted Stephane Kasriel, a Meta vice president overseeing AI research, who saying that the company discovered that unauthorized employees were found to have accessed MCI data on June 18, and that the hole was closed “within four hours.” But, he added, “ the initial fix didn’t stick, and access to the data had to be further locked down.”

In an email statement shared with CSO Online, Meta confirmed that the program was being halted for the time being. “We have carefully designed this program with privacy safeguards, and while we have no indication at this time that any data was improperly accessed by Meta employees, we’re pausing it while we investigate,” Meta said. 

A ‘liability surface’

Analysts, consultants, and industry practitioners said they were more concerned about the inadequate protections than the underlying data exposure.

Carmi Levy, an independent technology analyst, said that although there should be concerns about Meta’s “Orwellian oversight of workers’ keystrokes and mouse movements,” the bigger issue is the paper-thin protections that it used to protect that data.

“As creepy as MCI was and is, the reason Meta has hit the pause button has nothing to do with the moral and ethical fuzziness of everyday employee surveillance, and everything to do with its failure to secure the data it collected in the process,” Levy said. “Conceivably, it will resume monitoring and data collection once it fully understands how highly sensitive data, such as employees’ private conversations, performance data, and transcriptions, ended up being inadvertently shared with the entire workforce.”

One of the critical background issues is that while the data collected was highly sensitive, it was not, from a strict compliance law perspective, PII (personally identifiable information). That distinction might have lulled Meta into a false sense of security and convinced it that the data did not merit strong protections. 

“I think companies can get a little too comfortable saying, ‘Well, it’s not PII,’ as if that makes the data low-risk,” said Tom Findling, CEO of Conifers.ai. “But internal prompts, transcripts, chats, data tables, and performance notes can tell you a lot about how a company works, what it’s building and where things are messy or exposed. That’s sensitive, even if it’s not someone’s Social Security number.”

Findling argued that Meta executives “wanted to pretend that they didn’t understand” how sensitive the collected data was, and that was their excuse for why they should not have to protect it sufficiently. “There is no doubt that Meta did not tag this at an appropriate risk level,” he said.

Info-Tech’s Jean-Louis took particular umbrage at the particulars of the collected data. 

“Employee behavioral data, such as keystrokes, screenshots, and usage patterns, is effectively sensitive by default. If you’re using it to train AI, you have to treat it like production secrets, not analytics exhaust,” Jean-Louis said. “When thousands of internal tables are broadly accessible, you have a liability surface rather than a data platform. Trust nowadays is a security control. Once employees believe their data is overcollected or underprotected, you introduce both insider risk and reputational damage at the same time.”

Acceligence’s Michelle echoed Jean-Louis’ concerns.

“The data Meta exposed is not the real risk. Security policy only works if people believe it, and belief is exactly what is now in question,” Michelle said. “That gap is where incidents like this one do their damage: once employees stop trusting what leadership says about their own data, the doubt follows every policy that comes next, producing workarounds, quiet noncompliance, and employees who stop raising flags.”

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.