Over the Holidays, people started to report on social media and in forums that they had received certfied letters in the mail from DJI.  The letter, titled “NOTICE OF DATA BREACH“, warns DJI’s customers that their personal information, such as full name, address, date of birth, photo, and identification number (e.g., passport number or driver’s license number) as well as scanned photo identification such as ID cards and passports, stored on a server in the U.S., may have been accessible to unauthorized users.

DJI Mavic Pro

DJI’s certified “NOTICE OF DATA BREACH” letter

The DJI letter continues to explain that on September 27, 2017, a security researcher informed DJI that customer data stored on a DJI server in the U.S. was accessible to unauthorized users. We believe this security researcher to be Kevin Finisterre who walked away from the $30,000 bug bounty recently. DJI responded with a public statement and explained the actions they had taken in response to this matter.

DJI’s certified letter “NOTICE OF DATA BREACH” that was sent on December 13 is the latest development in this matter. In the letter, DJI states that based on a preliminary investigation, the Chinese drone manufacturer believes that other people may have had access to DJI customers’ personal information.

DJI explains that personal information has been compromised in the data breach and may include information such as full name, address, date of birth, photo, and identification number (e.g., passport number or driver’s license number) as well as scanned photo identification such as ID cards and passports. This is the same sort of information Finisterre discovered and wrote about in his pdf document: “Why I walked away from $30,000 of DJI bounty money“.

Currently, DJI does not believe that any financial information such as credit card or bank account information was included in the data breach but as the investigation is ongoing this may change in the future. DJI has taken a number of steps to safeguard their customers’ information and to prevent data breaches from happening in the future.

DJI has taken steps to beef up their data security. They replaced SSL certificates, fired software developers, limited the number people that have access to customer information, and provided additional training to their staff. DJI also hired an outside forensics firm to assist in the investigation. The company believes that as the investigation continues new information may surface.

DJI advises on steps you can take to protect your information

DJI included an “IDENTITY PROTECTION REFERENCE GUIDE” with information and steps, such as to place a fraud alert or a security freeze on your credit reports, customers can take to protect their personal and financial information. You can download the letter and reference guide here.

What do you think about data security? Are you concerned that your personal data may be exposed or do you think that information captured by DJI’s drone may, in fact, be sent to China and possibly end up in the hands of the Chinese government? Let us know in the comments below.

About the Author