Finland's data protection watchdog is investigating reports that HMD Global's Nokia phones have been sending user data to a Chinese server. The strange behavior was first spotted by Nokia 7 Plus user Henrik Austad, who quickly passed the information to NRK.
Further investigation by NRK uncovered that unencrypted data was sent to vnet.cn, an address associated with China Telecom. This data was sent every time a Nokia 7 Plus unit was booted or unlocked.
Microsoft sold the Nokia brand to HMD Global in late 2016 after the death of the Lumia line. It was shortly followed by a number of new Android and feature phones, with Nokia 7 Plus launching in May 2018.
HMD Global Response
Currently, it appears only one batch of Nokia 7 Plus phones exhibits the behavior. HMD global assures users that the data was sent due to a data breach, but an error on its end. Some handsets were loaded with a device activation client meant for Chinese models but were then shipped globally.
HMD says none of the data sent was personally identifiable and that the contacts were attempts to verify the device's warranty. It says that vnet.cn is in fact owned by itself and that registrar data pointing to China Telecom is incorrect.
The company says it patched the issue back in February 2019, but users were not alerted of the fix, nor that their data had been transferred erroneously. It maintains that all of its devices follow GDPR requirements and that it holds regular third-party audits.
“We can confirm that this is incorrect speculation and no Nokia phones are impacted. All device data of Nokia Phones other than the China variant is stored at HMD Global's servers in Singapore provided by Amazon Web Services,” said the company. “HMD Global takes the security and privacy of its consumers seriously and complies with all applicable privacy laws.”
Regardless, the Finish watchdog will make sure HMD Global hasnt' violated GDPR, discerning if its claims about user information are accurate.