One of the largest companies that tracks the location of Americans through smartphone data has been hacked by Russian cybercriminals for a ransom, according to two cybersecurity researchers and a person who has published a huge trove of allegedly hacked files. .
The incident would be one of the largest known breaches of a handful of controversial US companies that sell people’s location data, a gold mine for advertisers as it can be used to extensively map a person’s life, usually without their knowledge.
The company Gravy Analytics and its subsidiary Venntel were charged last month by the Federal Trade Commission with illegally collecting and selling location data from Americans without their knowledge or obtaining proper legal consent. Some of the people Gravy tracked were monitored in sensitive locations such as government buildings, health clinics and places of worship, the FTC said.
Smartphones generate important data both from how they connect to cell towers and wireless Internet providers, and through applications, particularly third-party applications that require location data. The ubiquity of smartphones in everyday life has spurred an industry of shadowy companies that buy, package and sell data. While that data is typically advertised to marketers, it is also sold to governments.
Gravy’s website has been down since at least Tuesday. Emails sent to Venntel and Gravy’s parent company Unacast were undeliverable. Several company executives contacted by NBC News did not respond to a request for comment.
Gravy has claimed that it “collects, processes, and selects” more than 17 billion signals from people’s smartphones every day, according to the FTC complaint.
Venntel sells Gravy data on people’s locations to help establish what the online advertising industry calls a “pattern of life.” The companies’ marketing materials give an example of how to identify a target’s “sleeping location, workplace, and visits to other USG members.” [United States Government] buildings” and can show where people are: “home, gym, night school, etc.,” the complaint says.
On Saturday, a hacker from a popular Russian cybercrime forum called XSS claimed to have hacked Gravy. He posted screenshots and uploaded 17 terabytes of data, a massive trove, as proof. Writing in Russian, the hacker claimed that more would rise if Gravy did not pay an unspecified ransom.
The files have since been deleted, but not before they were downloaded and shared among cybersecurity researchers, two of whom analyzed them and said they considered them likely authentic.
John Hammond, a researcher at the cybersecurity company Huntress, told NBC News that when he reviewed the data, he found a database of more than 300,000 people’s email addresses. NBC News reviewed some of those addresses through HaveIBeenPwned, a website that checks email addresses to see if they have been exposed in previous breaches, and found that some of the addresses at the alleged Gravy dump have not been part of other major violations.
“Organizations whose sole mission is data collection and aggregation will undoubtedly be an attractive target for threat actors. “While we don’t know their initial access method, or ‘how the hackers got in,’ it’s clear they compromised more than enough to make an impact with this type of data,” Hammond told NBC News.
Baptiste Robert, CEO of French privacy and location data company Predicta Lab, downloaded the sample data and told NBC News that the leaked material appears to show people tracked in around 30 million locations around the world. The data does not explicitly identify individuals by name or contain other identifying information, but rather follows the data broker industry’s practice of assigning individuals a series of numbers as a pseudonym, it said.
Although data brokers claim that using advertising ID pseudonyms protects their privacy, researchers have repeatedly shown that location data can make it easier to identify people. If tracking data from a particular cell phone shows that a person spends most of their nights at a particular address, for example, that person likely owns or rents that home.
The United States does not have a comprehensive federal privacy law, although privacy advocates and even the Biden administration have called for one. Last year, researchers at Duke University found that U.S. military service members’ data, including location data, is widely sold by data brokers.
In 2023, the Office of the Director of National Intelligence found that U.S. intelligence agencies, which are restricted from directly surveilling Americans, often purchase data about Americans from intermediaries and have little direction or oversight in that process.
