In April 2023, the United Kingdom fined TikTok nearly £13 million for violating users’ privacy. In this article, we’ll detail a full timeline of TikTok data breaches and privacy violations, starting with the most recent.
April 2023: British Regulators Fine TikeTok for £12.7 Million
On April 4, 2023, the Information Commissioner’s Office of the United Kingdom fined TikTok for violating the British General Data Protection Regulation, or GDPR. Among other charges, TikTok had collected personal data on children without obtaining their parents’ consent.
The British regulators also charged that TikTok had failed to make clear to users how their data was used and shared, and that TikTok had not lawfully processed personal data per British regulations.
December 2022: TikTok Admits to Spying on Reporters
In December, TikTok disclosed that four employees of ByteDance, the app’s parent company, had spied on reporters covering the company. These ByteDance employees compared journalists’ IP addresses with those of TikTok employees, in an attempt to find the source of leaks.
Four ByteDance employees were fired following the incident, including the company’s chief internal auditor. Previously, ByteDance and TikTok had denied that it had any capacity to spy on its users in such a matter.
September 2022: Alleged TikTok Breach Appears to Be False Alarm
On September 3rd, a hacker going by the alias “AgainstTheWest” claimed to have breached TikTok on Breach Forums. However, TikTok has disputed the breach, stating that “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases.”
They aren’t the only ones to dispute this hacker’s claims. Troy Hunt, creator of Have I Been Pwned, investigated the data and deemed it “inconclusive”. And the owner of Breach Forums, the hacker “pompurin”, banned AgainstTheWest for lying about multiple data breaches:
Please note that the breach is not from TikTok, and that he most likely was lying or didn’t even investigate it before making such outrageous claims. AgainstTheWest has had a long history of lying about breaches or other things (Saying he’s a State sponsored hacking group… lol) and this was just the tipping point.
As far as we can tell, the hacker scraped publicly available information from TikTok. But TikTok itself does not appear to have been hacked, and private data does not seem to have been leaked.
June 2022: Chinese TikTok Employees Found to Be Accessing American User Data, Contrary to Public Statements
In June 2022, Buzzfeed News reported that Chinese TikTok employees had accessed American user data, despite the company’s repeated assurances to the contrary. In 2021, for instance, a TikTok executive testified in Congress that American user data was tightly controlled, and overseen by a “world-renowned, US-based security team.” Internal documents showed otherwise: in one, a key employee noted that “Everything is seen in China.”
In recent years, TikTok has emphasized their efforts to contain “protected” data pertaining to Americans inside the United States. To that end, they’ve touted their dealings with Oracle, especially regarding a data center in Texas that supposedly holds all “protected” data.
But what data counts as “protected” is still nebulous, even within the company. And storing the data in the United States is one thing; if Chinese employees still have access to it, it’s hard to say that this data has been “contained” in any meaningful way.
Throughout the internal documents Buzzfeed News reviewed, it appeared data privacy was not as serious a concern as TikTok’s public statement had indicated. As one consultant noted, “I feel like with these tools, there’s some backdoor to access user data in almost all of them, which is exhausting.”
Following this article, FCC Commissioner Brendan Carr publicly called on Apple and Google to remove TikTok from their respective app stores. He cited concerns regarding the breadth of data TikTok harvests concerning its users, their repeated misrepresentations regarding so-called “protected” data, and the Chinese Communist Party’s history of conducting espionage through commercial entities.
August 2020: 235 Million Social Media Profiles Exposed in Data Leak
In August 2020, the security company Comparitech discovered an unsecured database that held profile data from 235 million TikTok, Instagram, and YouTube accounts. Once they found the information, they notified the administrator of the database and announced the incident to the press.
The database was fully readable to anyone who connected, requiring no password for access and lacking encryption. Within the data cache was details scraped from various social media accounts, including mainly account holder names, ages, genders, and profile images records. However, some records also featured email addresses and phone numbers.
The data leak featured information that was initially collected by Deep Social, a company that had scraped social media profile data. While data scraping isn’t illegal, it does violate the terms and conditions on many social media platforms.
Although Deep Social shut down in 2018, the database was taken over by another company, named Social Data. It’s unclear how long this trove of personal data was exposed before Comparitech discovered it in August, 2020.
August 2020: Class Action Lawsuit Filed Over Allegations of Improper Personal Data Collection on 89 Million Users
In August 2020, a set of US-based lawsuits targeting TikTok were combined into a class-action suit. The suits all involved the improper collection of personal data, focusing heavily on data collected from children, some of which were as young as six years old.
Along with harvesting personal data on approximately 89 million users, TikTok was accused of gathering facial recognition data without user consent. Additionally, the allegations state that TikTok shared that data without user consent as well.
In February 2021, TikTok agreed to a $92 million settlement to compensate impacted users. However, the company continues to disagree with the assertions within the suit, saying that the settlement was a means of avoiding litigation, allowing TikTok to focus on creating a safe and welcoming environment for users.
However, TikTok’s legal woes regarding the practice are ongoing. A UK and EU claim filed on behalf of children in those regions was reported on in April 2021. Suits in other countries may also arise, extending the timeframe before the incident is fully resolved.
February 2019: TikTok Fined $5.7 Million for Muscial.ly’s Violations of Child Privacy Laws
In February 2019, the FTC – levying the largest civil penalty for a violation of the Children’s Online Privacy Protection Act at the time – fined TikTok $5.7 million for child privacy violations that occurred on Musical.ly, a social media app that merged with TikTok.
The FTC states that Musical.ly displayed personal information on children under the age of 13 and collected data on the children without obtaining parental consent. Along with requiring first and last names, profile pictures, and a biography, the app defaulted to making profiles public.
Additionally, setting a profile to private still left profile pictures and bios visible to all users and didn’t limit DMs, allowing anyone to send the user messages. Further, until October 2016, Musical.ly had a feature that allowed users to see which other users were within a 50-mile radius.
While the incident pre-dated the August 2018 merger of Muscial.ly and TikTok, the responsibility fell on TikTok. As a result, TikTok agreed to pay the $5.7 million fine for the activity.