HMD calls the event “an error” and has issued a patch.
HMD is in hot water following a report from Norwegian site NRKbeta, which found that HMD’s Nokia 7 Plus was sending users’ personal information to a server in China. HMD responded to the report, admitting, “Our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus.”
NRKbeta’s investigation found the Nokia 7 Plus was sending the IMEI, MAC ID, and the SIM ICCID, all of which are unique hardware or SIM card identifiers that could be used to track an individual. There was also rough location information, as the device sent the ID of the nearest cell tower. NRKbeta’s article is in Norwegian, but through Google Translate the site claims this data was sent every time the phone was switched on and that the phone was sending this data for several months.
HMD admits this data ended up on “a third-party server” but claims the data “was never processed.” The company identifies the information sent as “activation data” and then says that “no person could have been identified based on this data.” HMD’s claim here is a bit strange, considering the entire point of “activation data” is to identify someone so they can be billed for cellular access.
NRKbeta says Chinese server in question was http://zzhc.vnet.cn, which apparently belongs to the state-owned China Telecom. China has been a major focus for HMD, and the country often gets the company’s Nokia phones before the rest of the world. HMD says its activation data ended up in China due to shipping the wrong “country variant” of an activation app.