Long Lu, Chief Scientist and Global Head of Digital Safety and Security at Chinese new energy vehicle firm NIO, issued a statement on December 20 confirming the recent theft of user data and the extortion of $2.25 million in bitcoin. In the evening, William Li, the founder, chairman and CEO of the firm, apologized for the incident.
Li wrote, “It is our responsibility to protect users’ information security. We apologize to everyone for not doing a good job. NIO will take responsibility for the losses caused to users by this incident and will cooperate with relevant departments to investigate it in depth, to trace the illegal and criminal acts of stealing and selling data related to this incident to the end. We will not compromise with criminals. Please provide clues in a timely manner.”
In response to this incident, Long Lu later claimed that the incident did not involve data generated during vehicle use, nor would it affect driving performance.
On the same day, a NIO customer service staff member answered an inquiry by a Chinese media outlet, saying that the cause and influence scope of the data leakage are still under investigation, and the company will not take the initiative to inform a car owner that their data has been leaked or initiate active compensation for the time being. If car owners have any needs or doubts, they can contact the company’s exclusive staff and customer service.
A picture suspected to be NIO‘s stolen data was previously circulated online, showing that the leaked data included 228,000 internal employees of NIO, involving personnel from the company president to basic-level workers, 3,990,000 pieces of ID card data and 650,000 pieces of user address data, and the extortion price ranged from 0.1 to 0.25 bitcoin.
In the statement issued by NIO, the leaked data is confirmed to involve “basic information of users.” According to NIO‘s official app, the tags of “user’s personal information” and “account binding” currently contain information such as city, address and mobile phone number.
For NIO car owners who have gone through the car purchase formalities, if they filled the column “My Credentials,” the data may include more private personal information such as ID card, passport, salary, social security, provident fund, property ownership certificate, driving license, driver’s license, and car purchase certificate.
In the comment area under NIO‘s statement, many users expressed that they hope “NIO will cooperate with users to modify the information in time to prevent the relevant information of car owners from being used and affecting their family and friends,” and “personal information in the software can be deleted quickly.”
There have been many discussions related to personal automotive data security in the past, but among “new energy vehicle companies, NIO has the first large-scale data leakage incident.” According to a report by STAR Market Daily, an investor who has been focusing on the network security industry for a long time said, “The incident was possibly not leaked through the car itself, but through the company database. Ensuring the data security of smart cars will become one of the core competitiveness of car companies in the future.”