An internal investigation at TikTok parent company ByteDance found that several employees accessed the TikTok data of at least two US journalists and a “small number” of other people connected to them, according to internal emails obtained by The Verge that were first reported by The New York Times. The accessed data includes the reporters’ IP addresses, which were used to see if they had been physically near TikTok employees who were suspected of leaking information to the press.

In an email to employees, the CEO of Beijing-based ByteDance, Rubo Liang, said he was “deeply disappointed” and that “the public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals.” In another internal email, TikTok’s CEO who reports to Liang, Shou Chew, referred to the incident as “the poorly conceived acts of a few people.” And in a third email, TikTok general counsel Erich Andersen said the company’s Internet Audit and Risk team is being restructured in response. You can read all three memos in full at the bottom of this story.

The revelation comes as US lawmakers make moves to restrict TikTok over national security concerns, including banning it from government phones. It also shows ByteDance walking back denials that TikTok has never been used to “target” journalists.

The company’s investigation, which was conducted by an outside law firm, revealed that the two journalists who had their data accessed by ByteDance’s Internal Audit team worked for BuzzFeed and The Financial Times. Forbes, however, says that three of its journalists were tracked: Emily Baker-White, Katharine Schwab, and Richard Nieva, all of whom worked for BuzzFeed until earlier this summer. The Financial Times says its reporter, Cristina Criddle, was tracked.

The Verge has confirmed that Song Ye, ByteDance’s head of audit and risk control who reported to its CEO, has left the company in connection with the investigation and that three other employees have been fired. One of those employees is Chris Lepitak, TikTok’s head of internal audit who reported to Ye, according to Forbes.

In October, Forbes reported that ByteDance had planned on using TikTok to track the location data of specific US citizens. At the time, the reporter behind the story pointed out that the company admitted to collecting approximate locations using IP addresses. TikTok strongly denied the story, saying that it lacked “rigor and journalistic integrity” and that any employees using the audit system in the way Forbes described would be fired.

It was the Forbes report that prompted ByteDance’s investigation, which ultimately led to the employee firings, according to the internal memo by TikTok’s general counsel. ByteDance CFO Julie Gao has now taken over audit and risk control, the memo says.

This news couldn’t come at a worse time for TikTok, which is already under a microscope when it comes to its handling of user data and privacy. Over a dozen states in the US have banned TikTok on government phones, and senators like Marco Rubio are working on legislation that would ban it outright in the US. Lawmakers involved with the bill say they’re concerned that the app gives the Chinese Communist Party the ability to monitor and influence Americans.

TikTok has taken steps to distance itself from ByteDance and is in negotiations with the US government to totally separate user data from China. But it’s unclear what the outcome of those negotiations will be.

In June, TikTok said it started routing US user data through Oracle to appease concerns that China-based employees could access US information. In his memo to employees, TikTok CEO Shou Chew said the company has “been systematically cutting off access points” now that “all” US user data is being handled by Oracle.

Here’s the full internal email from TikTok general counsel Erich Andersen:

All,

Several weeks ago, there was a news report alleging that employees of the company’s Internal Audit team may have attempted to inappropriately access users’ location data. Even though many of the claims in the article were speculative, our Global Legal Compliance team began an immediate investigation into the facts alleged in the story, and engaged a highly reputable law firm to assist with the investigation.

We have since learned that a misguided plan was developed and carried out by a few individuals within the Internal Audit department this past summer in the context of investigating significant leaks of confidential company information by employees to media – including purported leaked documents, screenshots, and audio recordings of internal meetings.

It is standard practice for companies to have an internal audit group that is authorized to investigate code of conduct violations. However, as part of the initiative to investigate the leaks related to this case, the individuals involved misused their authority to obtain access to TikTok user data. These individuals were aiming to identify potential connections between two journalists, who reported on the contents of leaked documents and recordings – a former BuzzFeed reporter and a Financial Times reporter – and company employees. In turn, they hoped information about these connections would help identify the employees responsible for the leaks. For example, the individuals looked at the IP addresses of the journalists to try to determine if they were in the same location as the employees suspected of leaking confidential information, notwithstanding the fact that IP addresses would only yield approximate location information. Not surprisingly, their ill-considered efforts did not result in identifying the sources of the leaks. Nonetheless, their access to user data in connection with these efforts was a significant violation of the company’s Code of Conduct, and so we are pursuing the following steps immediately:

None of the individuals found to have directly participated in or overseen the misguided plan remain employed at ByteDance. We are continuing the investigation led by the Legal team.

We are restructuring the Internal Audit and Risk Control (IARC) department:

Julie Gao, CFO, will take over the IARC department and begin an immediate search for the new leader, who will report to her.

The Global Investigations function that had been part of IARC will be split out and restructured. Going forward, the Global Legal Compliance team will have oversight of all investigations formerly within the scope of IARC.

We will be redesigning the investigations process to include an oversight council which, among other responsibilities, will oversee the development and refinement of policies and procedures governing the company’s investigative functions and monitor the functions’ compliance with applicable laws and company policies.

We have removed all user data access and permissions for the IARC department.

Going forward, where it is necessary and appropriate for IARC to be granted access to properly scoped user data (for example, to investigate fraud involving employees of the company), that access will be subject to, and only granted in accordance with, the Company’s policy and protocols. This step will be coupled with training of the IARC team regarding the new policy and protocols.

In addition, we will continue to assess and enhance our access controls. In this case in fact, access to certain US user information in the context of the misguided investigation was already limited by prior transfer of control to the US Data Security team, and those controls have been significantly improved and hardened since this initiative took place.

I also want to emphasize that we have an open and candid culture within ByteDance. It’s a core part of our ByteStyles. If you are faced with an ethical dilemma or a reportable challenge, notify your manager, HR, or the Speak Up hotline to do so anonymously. There are many avenues for you to share your concerns.

I hope we can all learn from this situation and move forward with a clear understanding and appreciation of our responsibilities – as employees and leaders – to build and operate an ethical business.

Erich

The full internal memo from ByteDance CEO Rubo Liang:

Our company has always prioritized protecting user data and maintaining user trust. TikTok has taken great strides to protect user data, and leadership has repeatedly stressed that data protection across all our products and services is a critical company priority.

That is why I was deeply disappointed when I was notified of the situation Erich has described in his email, and I am sure you feel the same. The public trust that we have spent huge efforts building is going to be significantly undermined by the misconduct of a few individuals. No matter what the cause or the outcome was, this misguided investigation seriously violated the company’s Code of Conduct and is condemned by the company. We simply cannot take integrity risks that damage the trust of our users, employees, and stakeholders. We must exercise sound judgment in the choices we make and be sure they represent the principles we stand behind as a company. Any plan we draft or action we take must be in line with the company’s values and Code of Conduct.

We are taking immediate actions to assuage and address the situation. But more importantly, we need to deeply reflect on our actions and think about how we can prevent similar incidents from happening again. I fully support the remediation steps Erich outlined, and ask that we all commit to the steps forward to improve our policies, protocols, and team management related to data access. For example, this will mean that we organize data compliance trainings for related teams, ensure that relevant approvers fully understand the potential risks associated with data permissions and develop sound judgment when processing such applications, and set up a new oversight council to strengthen the oversight on investigation functions.

I believe this situation will serve as a lesson for us all. We will work hard to restore the damage, and keep striving to become a company trusted by the public.

Rubo

And the full internal memo from TikTok CEO Shou Chew:

All - As you’re reading the notes from Erich and Rubo, I want to add that this misconduct is not at all representative of what I know our company’s principles to be. I’m disappointed to hear that anyone, even a very small subset of people, would have considered it acceptable.

As Erich mentioned, the individuals involved misused their authority to obtain access to TikTok user data. This is unacceptable. We will continue to enhance these access protocols, which have already been significantly improved and hardened since this initiative took place.

We take data security incredibly seriously. Our work over the past 15+ months to build TikTok US Data Security (USDS) – to ensure protected TikTok US user data stays in the US – is testament to that commitment. In addition to now routing all TikTok US user data to the Oracle Cloud Infrastructure (OCI), the USDS department is limiting access of that data to the USDS department and has already done so across our production systems. We are completing the migration of protected US user data management to the USDS department and have been systematically cutting off access points such that new US user protected data stored in OCI will soon only be accessed by USDS, US Safety, and select individuals within the legal and compliance teams.

Similarly, we are undertaking a comprehensive project in Europe and the UK to enhance our already robust data security practices with a new generation of technology and investments centered on our new Dublin data center.

We cannot take the trust we are building with our stakeholders for granted. We must continue to prioritize these efforts and not let the poorly conceived acts of a few people undermine the work of the tens of thousands of us who are creating a platform where people around the world can create and communicate safely. At TikTok, we can only be the platform we need to be for our community if we live and breathe our principles in all actions we take as we continue to invest in earning the trust of our amazing global community.

Shou

Update December 22nd, 3:55PM ET: Added independent confirmation of emails to ByteDance employees and details from Forbes and The Financial Times, including the reported names of some of the executives involved and the reporters who were tracked.

Update December 22nd, 4:09PM ET: Added full email to employees from TikTok general counsel Erich Andersen.

Update December 22nd, 5:37PM ET: Added full emails to employees from ByteDance CEO and TikTok CEO, along with confirmation of the departure of ByteDance executive Song Ye and the firing of three other employees.