HMD, an independent Finnish company, started marketing the Android smartphones manufactured by Nokia in late December 2016. Since then, the Finnish company has been an essential part of Nokia’s yearly sales. Recently, the company was charged with some serious allegations regarding a potential security leak in one of its devices. HMD accepted that its Nokia 7 Plus was sending users’ personal information to a server in China. An official said, “Our device activation client meant for another country was included mistakenly in the software package of a single batch of Nokia 7 Plus.”

User data at risk with a probable mistake

Upon further investigation, it was found that the Nokia 7 Plus was sending the IMEI, MAC Address and SIM ICCID. These hardware and SIM card identifiers are prominent enough to track any user. The leak also included the transmission of a user’s approximate current location. This data was being sent continuously, and every time the phone was switched on. This security leak has been around in the device for several months.

However, HMD claims that although the data was sent to a “third-party server,” “but it was never processed.” The company, as stated earlier, claims the information was sent as “activation data” and it was “impossible for any user to be identified by this data.” HMD’s claim, in a technical sense, is utterly confusing because “activation data” is specifically used to identify an individual so they can be billed for cellular access.

Data transmission to Chinese state-owned Telecom: Is something fishy?

The Chinese server on the receiving end of this allegation was (zzhc.vnet DOT cn), which deceptively belongs to the state-owned China Telecom. The incident can be considered a genuine mistake since HMD’s primary focus has been in China. The country often gets the company’s latest Nokia phones before the global release.

HMD has already said, “This error has already been identified and fixed in February 2019” and that “all affected devices have received this fix and nearly all devices have already installed it.” Presumably, that means any Nokia 7 Plus owners running the “March 2019” Android security patches should have the update.

HMD admits data leak

Europe’s Data Integrity might hold HMD guilty

HMD’s claim of fixing the issue is an improvement in the whole scenario, but it is not the possible end of the entire situation. The company might be neck-deep in hot water following a probable violation of Europe’s General Data Protection Regulation (GDRP), which limits the exporting of user data outside of the EU. HMD is based in Finland, so Finland’s Data Protection Ombudsman is considering investigating the incident. HMD said it “takes the security and privacy of its consumers seriously” and that it will cooperate with any investigation.