Millions of user information were publicly sold, Weilai Auto was deeply involved in the "leakage door"

　　Article by reporter Wu Bofeng/photo by our reporter

　　"4.85 million NIO registered user data, NIO competitors can pay attention to" "399,000 car owner user ID data, those engaged in 'black and gray production' can pay attention"... A few days ago, someone claimed to have cracked a large amount of NIO car data , and openly sell it on the Internet.

For a time, consumers' concerns about personal information protection spread in the market.

　　User data was leaked on a large scale

　　It is understood that the data listed on the Internet involves Weilai's business and user information, such as order data, car owner ID cards, user addresses, and even private information such as car owner intimate relationships and car owner loan data.

According to statistics, the leaked data reached more than one million pieces.

The information is clearly priced, and the prices are all in Bitcoin.

For example, 399,000 pieces of car owner ID card data are priced at 0.25 bitcoins; 650,000 pieces of user address data are sold at 0.15 bitcoins; all data information can be packaged by paying 1 bitcoin.

　　After the incident, Weilai Automobile released the "Statement on Data Security Incidents" (hereinafter referred to as the "Statement"), saying that Weilai officially established a special team to investigate and respond, report to the relevant regulatory authorities as soon as possible, and cooperate with relevant departments In-depth investigation, after preliminary investigation, the stolen data is some basic user information and vehicle sales information before August 2021.

　　The reporter sorted out the sales data of Weilai Automobile in recent years and found that after the launch of the first model in December 2017, Weilai Automobile delivered a total of about 125,500 vehicles during the period from January 2018 to July 2021.

How many users were involved in this information breach?

The reporter tried to find the answer according to the two contact channels provided by the "Statement", telephone and email, and the answer given by the relevant staff was "subject to the relevant announcement issued by the company".

　　Although Li Bin, chairman of Weilai Automobile, issued an apology on Weilai's official community for the leak of user data, it still failed to completely dispel users' concerns.

　　The reporter found in the Weilai community that many registered Weilai users expressed their opinions.

A user with the online name "Nao Lian Er" said: "This statement and explanation are completely unjustifiable, and there is no sincerity! The cause of the leak and the specific content of the leak should be made public, and how to avoid such problems in the future and make guarantees. .”

　　Some users have been affected by NIO's disclosure of private information.

A registered user named "Xiao Wanxiong 01" said: "Recently, I suddenly received a lot of calls from car salespeople."

　　It is worth mentioning that on October 15, Weilai Automobile released the "Nio Automobile Privacy Policy" (hereinafter referred to as "Privacy Policy"), indicating that it had officially updated the content as a whole from that day onwards, and made corresponding changes based on the actual situation. The content is calibrated and optimized so that users can understand more clearly and transparently how the company handles and protects users' personal information.

However, just two months after the update of the "Privacy Policy", Weilai Automobile has been deeply involved in the vortex of "leaking the door", which makes people question the actual effect of the "Privacy Policy".

　　Song Jian, a professor at the School of Vehicles and Transportation at Tsinghua University and deputy director of the State Key Laboratory of Automobile Safety and Energy Conservation, said in an interview with a reporter from China Consumer News that the information leakage incident of Weilai Automobile and the incomplete establishment of its own safety protection system have a lot to do with it. Direct relationship, resulting in no effective protection of consumers' personal information.

"Protecting consumers' personal information is the duty of car companies. This incident is suspected of infringing on consumers' interests." Song Jian said bluntly.

　　Excessive collection makes information difficult to protect

　　In fact, this is not the first time that a new car brand has leaked information.

Previously, many new car brands such as Tesla and Xiaopeng had leaked user information.

　　Yan Jinghui, a member of the expert committee of the China Automobile Dealers Association, believed in an interview with a reporter from China Consumer News that the frequent occurrence of information leakage incidents is related to the application of more digital functions by new car brands.

Compared with traditional car companies, the digitalization of new car brands is not only reflected in functions, but also extends to related service areas.

However, informatization protection is a complex topic, which requires car companies to provide protection during the entire life cycle of the vehicle.

　　On this point, consumers who have been to Weilai Automobile service stores have the same feeling.

When consumers go to a NIO store for the first time, whether they choose to test drive or view the car, the relevant staff will advise consumers to download the official APP and complete the registration, and then they will have a service specialist.

Then, no matter which city the consumer is in, when he goes to the service store again, the relevant staff can check the past records as long as he inquires the consumer's registration number.

In addition, according to the "Privacy Policy", when consumers choose battery rental services, vehicle ordering, car purchase consultation and vehicle test drives, financial leasing services, insurance services, electronic agreement signing, vehicle use and remote vehicle management, car owner services and after-sales services, When shopping in the mall, payment, event registration and other scenarios, NIO will collect information such as name, valid ID number, mobile phone number, real-time location information, bank card number, vehicle charging and replacement information, vehicle and battery maintenance and warranty records, etc.

　　In contrast, whether it is car purchase consultation or normal vehicle maintenance records, most traditional car companies and car owners do not face this problem.

　　Song Jian said that in all aspects of data information, if there are no comprehensive protective measures as a guarantee, it may become the source of information leakage.

There is no doubt that the more links to collect information from consumers, the greater the pressure to prevent the leakage of private information.

　　It is imminent to investigate the double hidden dangers

　　As of press time, the specific cause of the incident is still under investigation.

A statement made by Lu Long, chief information security scientist of Weilai Automobile and head of the information security committee, caught the attention of reporters.

　　Lu Long said in the Weilai community: "This incident does not involve the data generated during the use of the vehicle (such as driving trajectory, cockpit data), nor does it affect the driving or remote control of the vehicle. We are still investigating the cause of the data leakage and Sphere of influence."

　　As a private living space, the protection of information privacy in the car is very important to consumers.

In this regard, the ES8 founding owner "Hi Xun Ge" raised his own question: "The implication is, will it involve voice, image and other data in the car?"

　　In response to this statement, Yan Jinghui believes that the specific situation has yet to be given an official explanation by NIO, but this answer can easily make people doubt, including that it did not cause data information such as driving trajectory and cockpit data to leak. Laiche should specify what measures and methods have been taken so as not to leak the driving trajectory, which will help ease the anxiety of the consumer market, especially the car owners involved in this incident.

　　When analyzing the specific causes of the accident, Song Jian said that in general, information leakage mainly includes two aspects: human factors and technical reasons.

From a technical point of view, in addition to human factors in information leakage, Weilai Automobile does not produce chips itself, but obtains chips through external procurement.

And many chips have their own "back door", and the information on it is likely to be collected inadvertently, which is difficult to avoid.

"Using an external chip is equivalent to using the company's computer system, and whether there is a 'back door' hidden in the chip, unless it is deciphered (otherwise there is no way to know)." Song Jian further explained.

　　In addition, human factors may also become the fuse of this information leakage incident.

"Adhering to a responsible attitude towards consumers, Weilai Automobile should step up efforts to improve the technical level in the future, such as firewalls, data protection capabilities, etc., and effectively reduce the interference of human factors through technological improvement as much as possible, so that user information privacy can be better. Protection." Yan Jinghui said that it is not yet known whether there are internal leaks of private information due to economic interests, which requires the strengthening of internal management to be placed in an equally important position.