MANILA, Philippines - State-owned Norwegian news outlet NRKBeta reported that a certain number of Nokia 7 Plus units sent user data to a server in China, Thursday, March 21.
The news was later confirmed by HMD Global, who owns the Nokia license for phones, who in a press release admitted to the incident.
In their investigation, NRKBeta discovered that the affected Nokia 7 Plus units sent the user’s geographical position, SIM card number, and serial number to a Chinese server every time the device was turned on or unlocked.
The Chinese variants of the Nokia 7 Plus have special software that sends data to a Chinese server. This, according to Nokia, is in compliance with the "China Cyber Security Law," which obligates companies to store data originating from China in China. The problem is that the China-specific software "mistakenly" found its way to a batch of Nokia 7 Plus phones that are meant for other markets, and not China.
This data reportedly allowed the recipient or anyone with access to the traffic stream to track the device’s real-time movements.
HMD Global, however, said that the data collected was not processed and is not personally identifiable.
The report, who cited a tipster, also found that the data packets were sent to a domain owned by China Telecom, a government-owned telecommunications provider.
As of now, it's unclear how many devices and what regional shipments of the phone were affected.
“This error has already been identified and fixed in February 2019 by switching the client to the right country variant,” they added. “All affected devices have received this fix and nearly all devices have already installed it.”
The phone was originally released in March 2018. In June 2018, it was released in the Philippines. From its initial date of release, this means it took HMD Global nearly a year to spot and fix the software error.
HMD Global has published steps on checking if your phone has the fix:
Finnish Ombudsman for Data Protection Reijo Aarnio told NRKBeta he wants to open investigations against HMD Global for allegedly violating Europe’s General Data Protection Regulation (GDPR).
NRKBeta is looking at other Nokia models – the 2, 3 and 5 – for similar data leaks, and have found trace evidence pertaining to such but, at the moment, may be inconclusive. To this, HMD Global has told NRKBeta that they are investigating before commenting further. – Rappler.com