Source: 404media
Hackers have claimed responsibility for breaching Gravy Analytics, a company that sells smartphone location data to the U.S. government. The perpetrators allege they have obtained a vast trove of information, including client lists, industry-specific data, and precise geolocation details of users. They are threatening to publish the stolen data if the company fails to respond within 24 hours.
This incident serves as a stark warning to the entire geolocation data trade industry. For years, companies have collected location data via mobile apps and advertising networks, subsequently selling it to private entities and government agencies. Clients reportedly include the U.S. Department of Defense, the Department of Homeland Security, the IRS, and the FBI. However, this data has increasingly become a lucrative target for cybercriminals.
On forums, the hackers have shared samples of the stolen data, revealing exact user coordinates, timestamps of movements, and additional classifications such as “likely driving.” The dataset reportedly includes information about users from various countries, including Russia, Mexico, and the Netherlands. Some of this data has already been utilized by U.S. agencies for immigration operations.
The hackers claim they gained access to Gravy Analytics’ infrastructure as far back as 2018. Screenshots allegedly show full access to the company’s servers, domains, and Amazon S3 storage. Reports indicate that the compromised servers run on Ubuntu, underscoring the scale of the breach.
In 2023, Gravy Analytics was acquired by Unacast, but the company’s website remains inaccessible. Representatives of Unacast have not provided comments on the matter.
Clients of Gravy Analytics (and its parent company, Venntel) reportedly include Apple, Uber, Comcast, Equifax, and U.S. government contractors like Babel Street. The latter has previously used geolocation data for tracking tools, including monitoring visitors to abortion clinics.
The U.S. Federal Trade Commission (FTC) had previously launched an investigation into Gravy Analytics and Venntel, accusing them of selling sensitive user data without consent. The FTC ordered the companies to delete historical geolocation records, asserting that their actions violated laws prohibiting unfair use of personal information.
In a related development, American military bases in Europe were found to be at risk due to location data leaks collected for targeted advertising. Investigations revealed that U.S. companies legally gathering data for advertising inadvertently enabled the tracking of personnel at military and intelligence sites.
