TikTok’s CEO wants us to believe the app’s U.S. data is secure. A new report suggests otherwise.

If you thought Shou Zi Chew‘s contentious appearance on Capitol Hill would be a decisive moment in the ongoing quest to ban TikTok, then you didn’t realize how long this battle is going to drag on. In his first public remarks since appearing before Congress, the CEO of the ByteDance-owned app reiterated his company’s commitment to data security. Unfortunately, those comments were quickly undermined by a Forbes report that detailed potential security flaws at one of TikTok’s U.S. data centers.

At the TED 2023 conference, Chew’s talking points were similar to the ones he delivered before Congress. The 40-year-old Singaporean exec reiterated that Project Texas — TikTok’s plan to store sensitive U.S. user data on American servers — is capable of appeasing security concerns raised by politicians who have called for a TikTok ban.

Chew’s Washington, D.C. war of words made him a hero (and a sex symbol) in China, but at TED 2023, the TikTok CEO was all business. He claimed that Project Texas is “very, very far along” and is designed to prevent Chinese authorities from using TikTok to meddle in U.S. elections. “Today, by default, all new U.S. data is already stored in the Oracle Cloud infrastructure,” Chew said. “So it’s in this protected U.S. environment that we talked about in the United States. We still have some legacy data to delete in our own servers in Virginia and in Singapore.”

That “legacy data” could be a thorn in TikTok’s side. One day after Chew spoke at TED 2023, Forbes 

journalist Emily Baker-White published an investigation into Virginia-based data centers utilized by TikTok. Baker-White was one of the reporters who was allegedly tracked as part of a ByteDance surveillance operation codenamed Project Raven.

The new report claims security at the data centers is uneven. After interviewing seven current and former employees and reviewing more than 60 documents, Baker-White uncovered several potential breaches, including unattended boxes of hard drives, unescorted visitors, and unmarked flash drives plugged into servers. “Each new story raises more concerns and provides additional examples of TikTok appearing to misrepresent its data security practices,” said Senator Mark Warner (D-VA), one of the principal sponsors of the recently-introduced RESTRICT Act.

“In the past several years, we’ve increased our investments in people, processes, and technology to help safeguard our community, including establishing a team dedicated to data center operations, maintenance, and compliance,” reads a TikTok statement shared by Forbes.

The Forbes report is a reminder of how quickly TikTok has moved in hopes of preventing a U.S. ban. The company has poured billions into Project Texas, and the fast pace of the initiative could be causing some disorder. There’s still time to save TikTok’s American operations, though a few Montanans may disagree. If Chew wants Congress to take his words to heart, he’ll need to address these data center security concerns first.