Hackers have claimed to have hacked Gravy Analytics, a company that sells smartphone location data to the US government. The attackers allegedly gained access to a large amount of data, including customer lists, industry information, and precise user geolocation. The hackers have threatened to publish the information if the company does not respond within 24 hours.
A Serious Warning for the Location Data Industry
The incident has become a serious warning for the entire location data trading industry. For years, companies have collected location data through mobile apps and advertising networks, then sold it to private companies and government agencies. Clients include the US Department of Defense, the Department of Homeland Security, the Internal Revenue Service, and the FBI. However, such data is becoming an attractive target for cybercriminals.
On forums, the hackers published samples of the data, including the exact coordinates of users, the time of movement, and additional classifiers, such as “likely driving.” Among the data were details of users from various countries, including Russia, Mexico, and the Netherlands. Some of this data has already been used by US agencies for immigration operations.
The hackers claim to have gained access to the Gravy Analytics infrastructure back in 2018. Screenshots show full access to the company’s servers, domains, and Amazon S3 storage. The hacked servers are also reported to be running Ubuntu, highlighting the scale of the leak.
In 2023, Gravy Analytics was acquired by Unacast, but the company’s website remains inaccessible. Unacast representatives did not provide any comment on the situation.
Gravy Analytics (Venntel’s parent company) has clients that include Apple, Uber, Comcast, Equifax, and US government contractors such as Babel Street. The latter has previously used this data for tracking tools, including monitoring visitors to abortion clinics.
Ongoing Investigations and Repercussions
The US Federal Trade Commission (FTC) previously launched an investigation against Gravy Analytics and Venntel. The companies were accused of selling confidential data without user consent and were ordered to delete historical geolocation data. The FTC stated that the companies violated a law prohibiting unfair use of personal information.
Earlier, it became known that US military bases in Europe were at risk due to leaks of location data collected for targeted advertising, reminds NIXSOLUTIONS. The investigation found that US companies collecting data for advertising purposes can inadvertently allow the tracking of movements of military and intelligence personnel.
We’ll keep you updated on any new developments regarding this incident. So far, no further statements have been released by Gravy Analytics or its parent company, and the outcome of the hackers’ threat remains to be seen.