The data stolen was some basic user information and vehicle sales information through August 2021, NIO said.
NIO (NYSE: NIO) recently suffered a data breach in which a hacker team demanded millions of dollars.
On December 11, NIO received an external email from a hacker claiming to have the company's internal data and demanding $2.25 million worth of bitcoin, according to a statement from the company today.
Upon receiving the email, NIO immediately set up an investigation team and reported the incident to regulators at the first opportunity, the statement said.
Preliminary findings indicate that the data stolen was some basic user information and vehicle sales information before August 2021, NIO said.
"We apologize for the impact this incident has had on our users and solemnly promise to take responsibility for any damages caused to our users as a result of this incident," the statement said.
Stealing, buying and selling such data is illegal, which the company severely condemns, and will not bow to cybercrime, NIO said, implying it will not pay the ransom.
NIO will work with law enforcement to investigate the incident and firmly combat data theft and trading, it said.
NIO has a responsibility to use all means to protect the security of user information, the company said, adding that after the incident, it made enhancements to cyber information security to avoid similar incidents from happening again.
"We will learn from the lessons and strengthen our technical strength to continuously improve the security protection of NIO's information systems to fully protect the information security of our users," the statement said.
William Li, founder, chairman and CEO of NIO, replied to the statement on the NIO App, saying that the company deeply apologizes and will bear the damages caused to users because of this incident, but the company will not give in to the illegal act.
In his response to the statement, Lu Long, NIO's chief information security scientist and head of the information security committee, said the leaked data did not involve data generated while the vehicles were in use, such as driving tracks and cockpit data, and did not affect the driving of the vehicles or their remote control.
"We are still further investigating the cause and scope of the data breach," Lu said.
Earlier today, an image circulating on social networks showed that someone said to have cracked NIO's internal data and sold it publicly.
The hacker team said they gave NIO two chances to buy the data back with a ransom, but were denied.
The image shows that the leaked information included 22,800 NIO employee data, 39,900 owner identification data, 650,000 user address data and other data including owner loan information.
The hacker team sells different types of data for prices ranging from 0.1 bitcoin to 0.25 bitcoin, with the full packet costing 1 bitcoin.
This is the second incident related to information security and cryptocurrency that NIO has encountered this year.
In early April, NIO said in an internal notice that one of the company's server managers used his position to use the company's servers for Ether mining for more than a year.
The company's compliance and risk management department received a complaint on September 1, 2021, about the employee, surnamed Zhang, allegedly using the server he managed for cryptocurrency mining.
The conduct violated the law and negatively impacted the company's system security and business information security, NIO's notice at the time said, adding that the employee admitted to his actions.
(NIO's statement today)