Further investigation by NRK uncovered that unencrypted data was sent to vnet.cn, an address associated with China Telecom. This data was sent every time a Nokia 7 Plus unit was booted or unlocked. Microsoft sold the Nokia brand to HMD Global in late 2016 after the death of the Lumia line. It was shortly followed by a number of new Android and feature phones, with Nokia 7 Plus launching in May 2018.
HMD Global Response
Currently, it appears only one batch of Nokia 7 Plus phones exhibits the behavior. HMD global assures users that the data was sent due to a data breach, but an error on its end. Some handsets were loaded with a device activation client meant for Chinese models but were then shipped globally. HMD says none of the data sent was personally identifiable and that the contacts were attempts to verify the device’s warranty. It says that vnet.cn is in fact owned by itself and that registrar data pointing to China Telecom is incorrect. The company says it patched the issue back in February 2019, but users were not alerted of the fix, nor that their data had been transferred erroneously. It maintains that all of its devices follow GDPR requirements and that it holds regular third-party audits. Regardless, the Finish watchdog will make sure HMD Global hasnt’ violated GDPR, discerning if its claims about user information are accurate.