TikTok confirms employees improperly accessed journalists’ user data in hunt for leaks | CBC News

ByteDance, the Chinese parent company of popular video app TikTok, said Thursday some employees this summer improperly accessed TikTok user data of two U.S. journalists and were no longer employed by the company.

In an email to staff Thursday, ByteDance general counsel Erich Andersen said the employees accessed the data to try to identify potential connections between employees and the two journalists, who worked for BuzzFeed and the Financial Times, following leaks of company information.

After an investigation, conducted by an outside law firm, one ByteDance employee had resigned and three others were fired, the New York Times reported. Two of the workers were based in China and the other two were in the U.S.

Company officials said they were taking additional steps to protect user data.

ByteDance’s disclosure could add to pressure TikTok is facing in Washington from lawmakers and the Biden administration over security concerns about U.S. user data. Congress is set to pass legislation this week to ban U.S. government employees from downloading or using TikTok on their government-owned devices.

Last year, Prime Minister Justin Trudeau said Canada’s electronic spy agency was also watching out for security threats from TikTok.

TikTok promises data protections

In a separate email to employees seen by Reuters, TikTok Chief Executive Shou Zi Chew said the employees’ “misconduct is not at all representative of what I know our company’s principles to be.”

He said the company “will continue to enhance these access protocols, which have already been significantly improved and hardened since this initiative took place.”

Chew said that over the past 15 months, the company had been working to build a data security feature, TikTok U.S. Data Security (USDS), to ensure protected TikTok U.S. user data stayed in the U.S.

“We are completing the migration of protected U.S. user data management to the USDS department and have been systematically cutting off access points,” Chew said.

ByteDance also said it was restructuring its Internal Audit and Risk Control department, and its global investigations function would be split out and restructured. The company added it would be redesigning the investigations process to include an oversight council.