Nokia says its phones sent data to China by mistake

Nokia phone brand owner HMD Global is understandably nervous about Finland investigating claims that its handsets send sensitive data to China, and is trying to clear its name. The company said in a statement that it "mistakenly included" the device activation software for Chinese phones in a "single batch" of Nokia 7 Plus phones meant for other countries. However, that data was "never processed" and wasn't personally identifiable, according to the company. It was fixed through a software update in February 2019, and "nearly all" phones already have that patch.

The Finnish data protection watchdog has confirmed it's investigating HMD Global's Nokia-branded phones over reports they were found to be sending unencrypted data to a Chinese server. Details first emerged after a user, Henrik Austad, tipped off the Norwegian broadcaster NRK, who investigated the breach.

NRK's investigation revealed that the server being contacted was associated with the domain "vnet.cn," which is linked to the state-owned telco China Telecom. The data was being sent in an unencrypted format by a Nokia 7 Plus, a phone first released in March last year.

Responding to the report, HMD Global - which manufactures Nokia-branded phones under license from Nokia - admitted that the breach occurred, and said that it was caused by "an error in software packaging process." However, it sought to downplay its significance, saying that only "a single batch of one device model" was affected, and that "no personally identifiable information has been shared with any third party." HMD hasn't explained why data was being sent to a Chinese server, though.

The company also rejected talk that other phones would send similar data. Every Nokia phone outside of China sends device data to HMD Global servers (provided by Amazon Web Services) in Singapore, the company said, and abides by local laws.

This won't necessarily put the Finnish investigation to bed, and the claims about the nature of the data don't paint a full picture. While they don't directly identify a person, they could be used with corroborating info to get a clearer picture of that person's life. Still, the issue appears to have been fixed -- it's just an unpleasant reminder that a slip-up at the factory is enough to put data at risk.

Although the bug was patched back in February, the Finnish ombudsman will be investigating whether any personal information was sent, as well as whether there was any legal justification for doing so.