Unauthorized Release of Over 21 Million Employee Screenshots by Surveillance Firm Online
Digital Spying Gone Wrong: The WorkComposer Leak Exposes Company Secrets and Employee Vulnerabilities
In the era of advanced digital tools, companies are turning up the heat on employee surveillance, leading to increased risks for thousands of workers. A recent leak from employee monitoring app WorkComposer has exposed millions of real-time computer screen images, potentially revealing sensitive data like internal communications, login credentials, and personal information – setting the stage for identity theft, scams, and more.
Last Thursday, researchers at Cybernews released word of the breach, which involves WorkComposer, an app used by over 200,000 companies globally. The app captures screenshots of employees' computers every 3 to 5 minutes, and the leaked images could provide an intimate look into workers' daily lives, as reported by Cybernews – a team that also uncovered a similar leak earlier this year by WebWork. After the discovery, Cybernews reached out to WorkComposer, who secured the stolen data. The company has yet to respond to Gizmodo's requests for comment.
With the images no longer accessible to the public, WorkComposer's blunder underscores the need for restraint when it comes to handling sensitive worker data. "Companies shouldn't be trusted with this kind of data on their workers," José Martinez, a Senior Grassroots Advocacy Organizer at the Electronic Frontier Foundation, told Gizmodo via email. "If a worker committed the kind of incompetence that WorkComposer did, this data might be used to fire them. WorkComposer, too, should be out of a job."
In addition to screenshot monitoring, WorkComposer offers services like time tracking and web monitoring. The company's website hints at a vaguely dystopian goal: "help[ing] people stop wasting their lives on distractions and finish what is important to them instead." The irony, of course, is that a data leak is likely to be a significant distraction for most people – and any form of surveillance, no matter who's doing it, can serve as a distraction.
Studies have shown that workplace surveillance can have negative psychological and mental health impacts, but this doesn't vanish when companies are the ones watching. In 2023, the American Psychological Association reported that 56% of digitally surveilled workers felt tense or stressed at work compared to 40% of those not being watched[3]. Meanwhile, consumer advocacy group Public Citizen noted that such surveillance may increase mistakes by forcing employees to focus on quantified behavioral metrics that aren't necessary for them to perform their jobs well[2].
Workplace surveillance is far from a new phenomenon, but WorkComposer's leak serves as a stark reminder of the consequences that come with the ever-expanding digital age. Unfortunately, the United States offers very little protection at either the state or federal level, leaving companies to decide for themselves how much privacy and autonomy they are willing to strip from their employees.
Privacy Conundrum: A Maze of Federal, State, and Sectoral Regulations
Employee monitoring and privacy protection laws in the United States are a labyrinthine concoction of federal, state, and sectoral regulations. As of 2025, here's an overview of the current legal landscape governing employee surveillance and privacy protections:
- Federal Level:
- Employee monitoring is legal under U.S. federal law, provided it is justified by legitimate business reasons. Companies are not mandated to notify employees they are being monitored, and no consent is legally required[1].
- Specific sectoral laws like the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), the Fair Credit Reporting Act (FCRA), and the Fair and Accurate Credit Transactions Act (FACT Act) offer protections for employee health, financial, and sensitive data[4].
- State-Level Regulations:
- Some states require employers to provide prior notice or consent for employee monitoring or data protection (e.g., Connecticut, Delaware, Texas, and New York)[1].
- Various states have enacted new data privacy legislation enhancing employee data protections, with growing momentum as awareness of the issue increases[2][4].
- General Principles:
- transparency is considered best practice
- personal employee data generally cannot be disclosed without employee consent, except in specific circumstances (e.g., legal compliance, law enforcement)[4].
- monitoring must be justified by legitimate business interests[4].
In essence, while employee surveillance is largely legal within the U.S., protections are fragmented and often vary by state and sector. Employers must comply with applicable state laws and sectoral regulations while adhering to best practices for transparency, data security, and business justification to protect employee privacy effectively[1][2][4][5].
- Despite the growing reliance on employee surveillance apps like WorkComposer, the United States lacks comprehensive federal protection for employee privacy.
- The data leak from WorkComposer has highlighted the need for transparency and restraint in handling employee data, as the app's breach could lead to identity theft and scams.
- José Martinez, a Senior Grassroots Advocate at the Electronic Frontier Foundation, emphasized that companies should not be trusted with such sensitive data, as it could potentially be used against employees for disciplinary actions.
- In 2023, the American Psychological Association reported that digitally surveilled workers were more likely to feel tense or stressed at work compared to those not being monitored.
- Consumer advocacy group Public Citizen noted that workplace surveillance may increase mistakes as it focuses employees on quantified behavioral metrics that may not be necessary for job performance.
- The legal landscape governing employee surveillance and privacy protection in the U.S. is a complex maze of federal, state, and sectoral regulations.
- As of 2025, employers must comply with applicable state laws, sectoral regulations, and best practices for transparency, data security, and business justification to protect employee privacy effectively.
