ByteDance, the Chinese parent company of TikTok, said on Thursday that an internal investigation found that employees had inappropriately obtained the data of U.S. TikTok users, including that of two reporters.
Over the summer, a few employees on a ByteDance team responsible for monitoring employee conduct tried to find the sources of suspected leaks of internal conversations and business documents to journalists. In doing so, the employees gained access to the IP addresses and other data of two reporters and a small number of people connected to the reporters via their TikTok accounts. They were trying to determine if those individuals were within proximity of ByteDance employees, according to the company, which added that the efforts failed to find any leaks.
The investigation was initiated after an article was published by Forbes, and the inquiry confirms part of that report and highlights the privacy and security risks associated with TikTok that U.S. lawmakers, state governors and the Trump and Biden administrations have raised for more than two years. More than a dozen states have banned TikTok from government-issued devices, and the company has been in prolonged negotiations with the administration on security and privacy measures that would block any potential access to U.S. user data by ByteDance and the Chinese government.
ByteDance’s general counsel, Erich Andersen, revealed the findings of the investigation, which was conducted by an outside law firm, in an email to employees on Thursday.
All four employees involved in the scheme were fired, the company said, correcting an earlier statement that one of the four had resigned. Two of those employees were working in China and two were in the United States. ByteDance said it had restructured its internal audit and risk team and had removed any access to U.S. data from that department.
The targeted reporters were Emily Baker-White, who wrote for BuzzFeed and is now at Forbes, and Cristina Criddle of the Financial Times, ByteDance said, though it declined to identify other affected TikTok users. Forbes reported that two more of its reporters, who are also former BuzzFeed reporters, were targeted. ByteDance said its investigation did not conclude that those additional reporters were affected but said it would re-examine raw data to determine if the allegations were true.
Mr. Andersen and ByteDance’s chief executive, Rubo Liang, revealed the findings of the investigation in separate emails to employees.
“I was deeply disappointed when I was notified of the situation … and I’m sure you feel the same,” Mr. Liang wrote. “The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals.”
The chief executive of TikTok, Shou Zi Chew, also sent an email to his employees about the investigation, expressing disappointment and stressing the company’s commitment to protect U.S. data.
“We take data security incredibly seriously,” Mr. Chew said in the email. He said that over the past 15 months, the company had worked to create a new U.S.-based data storage program as a “testament to that commitment.”
The employees obtained historical data, according to ByteDance and TikTok officials. For several months, the company said, it has been in the process of putting all U.S. data on the Oracle cloud, but the past data obtained by the ByteDance employees was still available. TikTok said it planned to delete all historical data outside the Oracle systems.
The revelations come amid growing concerns by U.S. officials about the privacy and national security risks posed by TikTok, a hugely popular video-sharing app with an estimated 100 million American users. ByteDance acquired TikTok, formerly known as Musical.ly, in 2017. Since then the company has been the focus of national security officials who say the app is too closely aligned with its parent company in China and can put sensitive data, such as geolocation and the habits and interests of users in the United States, into the hands of the Chinese government.
In September, TikTok’s chief operating officer, Vanessa Pappas, testified in a Senate hearing that the app did not share data with the Chinese government. The company has tried to distance the app from ByteDance, saying TikTok has its own corporate structure, with offices in New York, Los Angeles, Singapore and Washington.
In the hopes of allaying national security fears, ByteDance has moved the data of U.S. users to a cloud storage system operated by Oracle, the Silicon Valley software company.
TikTok has been locked in negotiations with the Biden administration on that security plan to move all U.S. data and erect walls around the data to prevent access by the Chinese government. The negotiations, which began during the Trump administration, have stalled in recent weeks, prompting a cascade of state and federal actions to restrict the use of TikTok. Senator Mark Warner, Democrat of Virginia and chairman of the Intelligence Committee, called on the administration to conclude its talks with TikTok on national security fixes to the app.
“This new development reinforces serious concerns that the social media platform has permitted TikTok engineers and executives in the People’s Republic of China to repeatedly access private data of U.S. users despite repeated claims to lawmakers and users that this data was protected,” Mr. Warner said. “It’s time to come forward with that solution or Congress could soon be forced to step in.”
Congress is set to vote as early as this week on a proposal that would ban TikTok from any federal government-issued devices. Intelligence officials, including the F.B.I. director, Christopher Wray, have warned that Chinese officials can siphon sensitive data about U.S. citizens to use for surveillance and to spread propaganda.
TikTok is in the middle of an escalating economic and trade war between the United States and China for technology leadership. The superpowers have imposed trade restrictions on foreign-made technologies and have poured hundreds of billions of dollars into subsidies and grants to bring back tech supply chains for manufacturing within their borders.
Senator Marco Rubio, Republican of Florida and a ranking member of the Intelligence Committee, has introduced legislation with Democratic support that would ban TikTok from all consumer devices. The bill would face First Amendment challenges, legal experts say, but highlights the increasing pressure to ban the app.
“No one should be surprised or fooled by ByteDance’s public apology,” Mr. Rubio said in a statement about the internal investigation. “The company is desperate to tamp down growing bipartisan concerns about how it enables the Chinese Communist Party to use — and potentially weaponize — the data of American citizens. Every day it becomes more clear that we need to ban TikTok.”