The rapidly expanding market for employee monitoring software has experienced a significant security event with workplace monitoring app WorkComposer exposing millions of sensitive files. According to an investigation by Cybernews, the tool, reportedly used by over 200,000 individuals, leaked more than 21 million employee screenshots directly onto the public internet.
This exposure stemmed from an improperly secured Amazon S3 cloud storage bucket, a common type of cloud storage prone to leaks if not configured correctly by the user. Such misconfigurations often involve human error in setting access permissions, rather than flaws in the cloud service itself. The company advertises its product as very secure, stating “We promise to provide bullet-proof security to all our stakeholders” on its website
A Window Onto Desktops
WorkComposer operates by capturing frequent snapshots of employee screens—potentially as often as every 20 seconds, according to some reports—alongside logging keystrokes and tracking application usage.
The unsecured S3 bucket meant this continuous visual feed was openly accessible in real-time. Cybernews outlined several specific dangers posed by such a leak: first, internal documents and communications meant only for company eyes were exposed; second, usernames, passwords, or API keys visible in screenshots could “lead to hijacked accounts and deeper breaches of businesses worldwide”; and third, companies using WorkComposer could face serious legal and financial repercussions under data protection laws like Europe’s GDPR or California’s CCPA.
Cybernews researchers found the open bucket on February 20 and alerted WorkComposer the next day. Progress appeared slow, prompting contact with CERT on March 19. Access was eventually locked down on April 1, securing the exposed data. However, WorkComposer had not issued a public comment by the time Cybernews published its findings later that month. WorkComposer’s own Terms and Conditions include a disclaimer rejecting liability for internet security breaches, stating “We disclaim any and all liability resulting from or related to any Internet security breach or disruption of Authorized User’s connections to the Web Services or API.”
This incident wasn’t unique; as a previous Cybernews investigation from January found, another monitoring tool, WebWork, had leaked 13 million screenshots through similar vulnerabilities.
The Monitoring Landscape and Worker Sentiment
The use of such monitoring tools is becoming increasingly common, with some estimates suggesting 70% of large employers may use them by 2025. Features like screenshotting are prevalent, reportedly included in 78% of productivity tools. This widespread adoption amplifies the potential impact of security failures.
While intended to track productivity, these applications capture a wide range of on-screen activity, potentially including personal messages or sensitive private information. Understandably, employee reactions are varied. Data indicates significant worker anxiety (56% feel stressed by monitoring), privacy concerns (43%), and willingness to leave jobs over surveillance (54%). Yet, a majority (62%) reportedly accept monitoring technology, especially if the data aids performance or wellbeing.
Past Precedents and Industry Adjustments
Debates over workplace digital surveillance aren’t limited to smaller vendors. In late 2020, Microsoft encountered substantial criticism regarding its “Productivity Score” feature in Microsoft 365. Privacy advocates argued it enabled problematic workplace surveillance, allowing managers to track individual metrics like email volume and Teams participation. Researcher Wolfie Christl commented at the time, “This is so problematic at many levels,” adding, “Employers are increasingly exploiting metadata logged by software and devices for performance analytics and algorithmic control… MS is providing the tools for it.”
Microsoft initially defended the feature, stating: “Productivity score is an opt-in experience that gives IT administrators insights about technology and infrastructure usage… Insights are shown in aggregate over a 28-day period and are provided at the user level so that an IT admin can provide technical support and guidance… productivity score is not a work monitoring tool.”
However, the company quickly responded to the concerns. On December 1, 2020, Microsoft 365 CVP Jared Spataro announced changes, stating, “We’ve heard the feedback, and today we’re responding by making changes to the product to further bolster privacy for customers.”
The adjustments involved removing individual user names from reports and focusing the tool entirely on aggregate organizational data regarding technology adoption, moving away from individual productivity tracking. This case illustrates how major providers may adjust features based on privacy feedback, contrasting with the WorkComposer situation, which involved a data leak due to a security lapse rather than a feature design choice.
