Gravy Analytics Data Breach: Millions at Risk

Data Breach at Gravy Analytics Exposes Millions of Location Records

A significant security incident involving Gravy Analytics, a location data broker, is currently jeopardizing the privacy of a vast number of individuals globally. The compromised data originates from smartphone applications that unknowingly transmitted user location information to the company.

Scope of the Breach

While the complete extent of the data breach remains under investigation, the perpetrator has already released a substantial sample of location data. This data was harvested from a variety of popular consumer applications, including those focused on fitness, health tracking, dating, public transportation, and gaming.

The leaked information encompasses tens of millions of location data points, detailing individuals’ frequented locations, residential addresses, workplaces, and travel patterns.

Discovery and Reporting

The breach came to light last weekend when a hacker publicized screenshots of location data on a Russian-language cybercrime forum. The hacker asserted having stolen several terabytes of consumer data from Gravy Analytics.

404 Media, an independent news source, was the first to report on the forum post detailing the alleged breach. The post specifically claimed the compromise of historical location data from millions of smartphones.

NRK, a Norwegian broadcaster, reported on January 11th that Unacast, the parent company of Gravy Analytics, had disclosed the breach to Norwegian data protection authorities, as mandated by local legislation.

Company Background

Founded in Norway in 2004, Unacast merged with Gravy Analytics in 2023. This merger was promoted as creating one of the largest repositories of consumer location data available.

Gravy Analytics itself claims to monitor the activity of over a billion devices worldwide on a daily basis.

Details of the Incident

In a data breach notification submitted to Norway, Unacast stated that it identified unauthorized access to files within its Amazon cloud environment on January 4th. This access was gained through the use of a compromised key.

The company was alerted to the breach through direct communication from the hacker, though further specifics were not disclosed. Following the incident, Unacast temporarily suspended its operations.

Unacast also informed data protection authorities in the United Kingdom about the breach. The U.K.’s Information Commissioner’s Office (ICO) has confirmed receiving a report from Gravy Analytics and is currently conducting inquiries, according to spokesperson Lucy Milburn.

Lack of Response

Executives Jeff White and Thomas Walle of Unacast did not respond to multiple email requests for comment from TechCrunch this week.

A statement received by TechCrunch from a generic Gravy Analytics email address acknowledged the breach, stating that the company’s investigation is still in progress.

Current Status

As of the time of this report, the Gravy Analytics website remains inaccessible. Several other domains associated with the company also appear to be offline, based on checks conducted by TechCrunch over the past week.

• Key Takeaway: The breach highlights the risks associated with the collection and storage of sensitive location data.
• Affected Parties: Millions of smartphone users are potentially impacted by the exposure of their location information.
• Ongoing Investigation: The full scope of the breach and its implications are still being determined.

Over 30 Million Location Data Points Have Been Exposed

Concerns regarding the potential threats posed by data brokers to both individual privacy and national security have been consistently raised by privacy advocates. Analysis of a sample of location data from Gravy Analytics, released by a hacker, indicates the capacity for detailed monitoring of individuals’ movements.

Baptiste Robert, CEO of Predicta Lab, a digital security company, confirmed the leaked dataset comprises over 30 million location data points. He shared this information in a series of posts on X. The data encompasses device locations including The White House, the Kremlin, Vatican City, and various military installations globally.

Sensitive Locations Identified

Robert’s shared maps revealed the location data of Tinder users throughout the United Kingdom. Furthermore, analysis demonstrated the ability to potentially identify military personnel by correlating the compromised data with known Russian military site locations.

The leaked information facilitates the deanonymization of individuals, as demonstrated by tracking a person’s journey from New York to their residence in Tennessee. Forbes highlighted the specific risks to LGBTQ+ users, as location data from specific applications could expose them in nations where homosexuality is illegal.

Recent Regulatory Action

This data breach follows a recent decision by the Federal Trade Commission (FTC) to prohibit Gravy Analytics and its affiliate, Venntel, from collecting and distributing location data of American citizens without explicit consent. The FTC alleged that the company engaged in the unlawful tracking of individuals to sensitive areas, such as medical facilities and military bases.

The FTC’s action underscores the importance of protecting consumer location data. Data privacy remains a critical concern in the digital age.

Location Data Acquisition via Ad Networks

Gravy Analytics obtains a significant portion of its location data through a system known as real-time bidding. This process is fundamental to the digital advertising ecosystem, facilitating rapid auctions – lasting mere milliseconds – to determine which advertisement is presented to a specific device.

Within these incredibly swift auctions, advertisers participating in the bidding process gain access to certain device details. This includes the device manufacturer and model, its IP addresses (which can be utilized to estimate a user’s general location), and, when user permission is granted, more accurate location information. Other technical parameters influencing ad display are also considered.

However, a consequence of this system is that any advertiser involved in bidding, or those observing these auctions, can also acquire access to this “bidstream” data. This data encompasses device information and can be leveraged by data brokers – including those serving governmental entities – to compile comprehensive profiles of individuals and their movements by integrating it with data from other sources.

Security researchers, such as Robert from Predicta Lab, have analyzed this location data and identified numerous apps displaying advertisements that unknowingly share bidstream data with data brokers.

The dataset originates from widely-used applications on both Android and iPhone platforms, including FlightRadar, Grindr, and Tinder. These apps have all refuted any direct commercial relationships with Gravy Analytics, while confirming that they do serve advertisements. The structure of the advertising industry allows for user data collection by ad-serving apps even without their explicit knowledge or consent.

As highlighted by 404 Media, the precise methods Gravy Analytics employed to amass its extensive location data remain unclear. It is uncertain whether the company directly collected the data or acquired it from other data brokers. Investigations by 404 Media revealed that a substantial amount of the location data was inferred from the device owner’s IP address, which is then geolocated to approximate their physical location, rather than relying on explicit GPS access permissions.

Safeguarding Your Privacy: Preventing Ad Surveillance

According to the Electronic Frontier Foundation, a leading digital rights organization, advertising auctions are a pervasive element of the modern web. However, individuals are not without recourse and can implement strategies to mitigate advertising surveillance.

Employing an ad-blocker – or a comparable content blocker on mobile devices – represents a robust defense. These tools function by preventing ad code from being loaded within the user's browser, effectively halting the surveillance process at its source.

Both Android and iOS operating systems incorporate built-in functionalities designed to impede advertiser tracking. These features aim to limit the ability of advertisers to correlate pseudonymous device data with an individual’s true identity.

Apple device users can navigate to the “Tracking” section within their Settings and disable the option allowing apps to request tracking permission. This action effectively nullifies the device’s unique identifier, rendering it anonymous amongst other devices.

As Robert explained to TechCrunch, disabling app tracking ensures that your data remains unshared.

Android users should access the “Privacy” and then “Ads” sections within their phone’s settings. If available, deleting the advertising ID prevents applications from accessing the device’s unique identifier. For users lacking this option, periodic resets of the advertising ID are recommended.

Limiting app access to your precise location, particularly when not essential for functionality, further minimizes your digital footprint.

Additional Considerations

• The Information Commissioner’s Office (ICO) has provided commentary on this topic.
• Secure communication channels are available for contacting Zack Whittaker via Signal and WhatsApp at +1 646-755-8849.
• TechCrunch also offers a SecureDrop portal for secure document sharing.

Protecting your privacy requires proactive measures, but these steps can significantly reduce the extent of ad surveillance.