TikTok user data from the two journalists, who worked for the Financial Times and BuzzFeed, was accessed while ByteDance employees were investigating potential employee leaks to the press, according to the company. The employees involved, two based in the United States and two in China, were fired following an investigation conducted on behalf of the company by an outside law firm, the CEOs of TikTok and ByteDance revealed to employees in two separate emails Thursday.
The personal data accessed from the journalists’ accounts included IP addresses, according to the spokesperson. IP addresses can provide information about a user’s location.
“The individuals involved misused their authority to obtain access to TikTok user data,” TikTok CEO Shou Chew said in his email to employees, according to an excerpt of the email reviewed by CNN. “This is unacceptable.”
The disclosure could further inflame the scrutiny TikTok is facing in the United States over national security concerns given its ties to China. US lawmakers have raised concerns about the security of user data and the ability for the company’s Chinese employees to access information about US TikTok users.
The criticism ramped up earlier this year after a BuzzFeed News report said some US user data has been repeatedly accessed from China, and cited one employee who allegedly said that “everything is seen in China.” TikTok, for its part, has confirmed US user data can be accessed by some employees in China, but the company says that a US-based security team decides who can access US user data from China.
In October, Forbes reported that ByteDance planned to use TikTok data to surveil certain US citizens. In a Thursday report, Forbes named three journalists who had been tracked by the company. (TikTok declined to comment on whether a third journalist had indeed been affected.) The New York Times also reported that several of the journalists’ contacts on TikTok had also gotten wrapped up in the tracking, which the company declined to confirm.
“The misconduct of these individuals, who are no longer employed at ByteDance, was an egregious misuse of their authority to obtain access to user data,” Oberwetter said in a statement Thursday. “This misbehavior is unacceptable, and not in line with our efforts across TikTok to earn the trust of our users.”
In response to the incident, TikTok said it has restructured its internal audit and risk teams, and removed access to US user data for those teams, according to the spokesperson. “We take data security incredibly seriously, and we will continue to enhance our access protocols, which have already been significantly improved and hardened since this incident took place,” Oberwetter said.
The Financial Times said that “spying on reporters, interfering with their work or intimidating their sources is completely unacceptable. We’ll be investigating this story more fully before deciding our formal response,” according to a statement included in a report from the newspaper.
A spokesperson for BuzzFeed said in a statement to CNN that it is “deeply disturbed” by the disclosure, calling it a “blatant disregard for the privacy and rights of journalists as well as TikTok users.”
“It’s even more troubling that this comes in the wake of a series of reports by BuzzFeed News that exposed major issues within its parent company, from employees accessing American users’ data from China to ByteDance’s attempts to push pro-China messaging to Americans,” the BuzzFeed spokesperson said.
More than a dozen states, including Maryland, South Dakota and Texas, have announced bans in recent weeks of TikTok for state employees on government-issued devices, and a small but growing number of universities are also blocking access to TikTok on school-owned devices or WiFi networks. The Senate earlier this week passed a bill to ban TikTok from all US government devices. And a trio of lawmakers has introduced legislation aimed at banning the short-form video app from operating in the United States.
TikTok is currently engaged in longstanding negotiations with the US government on a potential deal to address national security concerns and let the app continue serving US customers. It has also said it has taken steps to isolate US user data from other parts of its business, including through a partnership with US-based Oracle.
“No matter what the cause or the outcome was, this misguided investigation seriously violated the company’s Code of Conduct and is condemned by the company,” ByteDance CEO Rubo Liang said in the Thursday email to employees. “We simply cannot take integrity risks that damage the trust of our users, employees, and stakeholders.”