TikTok's Virginia data center is home to a number of critical security failures, a Forbes report found.
Based on multiple interviews and more than 60 documents, photos, and videos from the data centers, the publication found multiple serious issues at the ByteDance facilities, as well as clear links to the company's Chinese operations.
The data centers had unmarked flash drives plugged into servers, unescorted visitors, and boxes of hard drives left unattended in hallways. Those interviewed blamed it on the social media company rushing to increase storage capacity and cutting corners.
The company rents space in Northern Virginia, with its data halls managed by ByteDance and contract workers from several undisclosed data center management firms.
While ByteDance uses multiple record-keeping systems to track server and other hardware repairs, three sources told Forbes that there were server modifications made to servers that were not in such systems, while four said they have seen unmarked and “unticketed” flash drives plugged into servers.
Four sources also said that the company’s degaussers, used to wipe and destroy old hard drives, were often broken. This meant that staff took the drives to other data centers to destroy them, which would have allowed people to walk off with drives if they had wanted.
Six sources also all independently told Forbes said that they had heard of employees using servers to mine cryptocurrency.
Servers in the data center were shown to be from Inspur, a Chinese server company that was recently blacklisted by the US government - but historically has had long ties to Western companies, and been used widely.
Documents also show that as recently as last week, server work orders were sent to data center technicians by Beijing ByteDance Technology Co., Ltd., a ByteDance subsidiary partially owned by the Chinese government. TikTok has repeatedly claimed that the Chinese state has no control over its operations.
The company blamed the work orders on "an artifact of a ticketing system," which "does not provide any access to user data."
The company, which faces being blocked in the US due to concerns about its alleged ties to the Chinese government, plans to move US data to Oracle Cloud as part of what it calls 'Project Texas.'
More in Security & Risk
Conference Session Fireside chat: Could Generative AI hack a data center?