Several weeks ago, a news article claimed that certain firm workers, namely those on the Internal Audit team, may have tried to illegally acquire consumers’ location data. Although most of the article’s assertions were conjectural, our Global Legal Compliance team launched an urgent inquiry into the facts mentioned in the story and hired a highly recognised legal firm to help with the investigation.
Our investigation into serious leaks of confidential company information by employees to media — including purported leaked documents, screenshots, and audio recordings of internal meetings — revealed that a small group of people within the Internal Audit department developed and implemented a misguided plan this past summer.
It is common practise for businesses to establish an internal audit team with the authority to look into any infractions of the code of conduct. Unfortunately, the endeavour to look into the leaks connected to this issue included people who abused their position to get access to private user data from TikTok. These people were ostensibly looking for ties between the two journalists who had reported on the contents of secret papers and recordings and any employees of the firm. For their part, they were hoping that by learning more about these links, they might pinpoint the leaky staff.
IP addresses can only provide rough geographical information, but these people nonetheless looked at journalists’ IP addresses to see whether they were in the same area as workers suspected of leaking sensitive material. And therefore, it should come as no surprise that their misguided attempts failed to locate the leak’s origin. While we appreciate their efforts, allowing them access to customer data in conjunction with these activities is a serious breach of the company’s Code of Conduct, and as such, we are taking the following measures immediately:
ByteDance has fired everyone who was discovered to have supervised or taken part in the disastrous scheme. The Legal Department is still conducting its inquiry.
Internal Audit and Risk Control (IARC) is undergoing a reorganisation.
As of now, CFO Julie Gao will be in charge of the IARC division and will begin looking for a successor.
The IARC division responsible for global investigations is being dismantled and reorganised. All investigations previously handled by IARC will now fall under the purview of the Global Legal Compliance team.
We’re revamping our investigations process to include a council that will, among other things, ensure that the company’s investigative functions are conducted in accordance with applicable laws and company policies, as well as oversee the creation and refinement of policies and procedures governing those functions.
The IARC division no longer has any access to user data, and all rights have been revoked.
Going forward, IARC will be subject to, and only permitted access to, appropriately scoped user data in line with the Company’s policy and procedures if and only if such access is required and appropriate (for instance, to investigate fraud involving employees of the Company). Alongside this action, the IARC staff will undergo training on the new procedures and policies.
Furthermore, we will always be evaluating and improving our security measures. In this specific example, the US Data Security team had previously been given restricted access to particular user data relevant to the erroneous inquiry; since then, those restrictions have been greatly enhanced and reinforced.
In addition, I’d want to stress that here at ByteDance, we value honesty and openness above all else. One of the pillars of our ByteStyles. You may confidentially report an ethical problem or other reportable difficulty to your boss, HR, or the Speak Up hotline. You may voice your worries in a variety of ways.
I’m hoping that, as a result of this incident, everyone will have a better grasp on their roles as workers and leaders in establishing and maintaining an ethical company.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover