One of the largest companies to track the location of Americans through smartphone data, according to two cybersecurity researchers, the person who posted the mass of files that were allegedly hacked, and a notice the company sent to the Russian government. One was allegedly hacked by Russian cybercriminals in exchange for a ransom. Norwegian government.
The incident marks one of the largest known breaches of several controversial U.S. companies that sell personal location data, which is typically collected without the person’s knowledge. It’s a gold mine for advertisers because it can be used to map a wide range of lives.
Last month, the company Gravy Analytics and its subsidiary Ventel were charged by the Federal Trade Commission with illegally collecting and selling location data on Americans without their knowledge or proper legal consent. It was done. Some of the people Gravey tracked were monitored as they entered and exited sensitive locations, including government buildings, clinics and places of worship, the FTC said.
Smartphones create large amounts of data through the way they connect to cell towers and wireless internet providers, and through apps, especially third-party apps that require location data. The pervasiveness of smartphones in daily life has fueled an industry of shadowy companies that buy, package, and sell data. That data is typically promoted to marketers, but also sold to governments.
Gravy’s website has been down since at least Tuesday. Emails to Unacast, the parent company of Venntel and Gravy, could not be delivered. Several company executives contacted by NBC News did not respond to requests for comment.
Although the company has not made any public notification to the United States about the alleged breach, Norwegian news outlet NRK obtained a private notification of the breach that Gravy and Unacast sent to Norway’s data protection authorities. Announced. Unacast has offices in Norway.
Gravy said in a notice that it became aware of the unauthorized access to Amazon Web Services cloud storage on Monday and is currently investigating.
The FTC’s complaint alleges that Gravy “collects, processes, and manages” more than 17 billion signals from people’s smartphones every day.
Venntel sells Gravy data about people’s locations to establish what the online advertising industry calls “patterns of life.” The company’s marketing materials provide examples of identifying targets “where they sleep, where they work, and visits to other USG (U.S. Government) buildings” and where people are (at home, at the gym, at night school). etc.) can be shown. ” the complaint states.
On Saturday, hackers from a popular Russian cybercrime forum called XSS claimed to have hacked Gravy. They posted screenshots and uploaded a massive 17 terabytes of information as evidence. The hackers claimed in Russian that they would upload more unless Gravy paid an unspecified ransom.
The files have since been deleted, but have since been downloaded and shared among cybersecurity researchers, two of whom analyzed the files and said they were likely genuine.
John Hammond, a researcher at cybersecurity firm Huntress, told NBC News that when he sorted through the data, he discovered a database of email addresses for more than 300,000 individuals. NBC News investigated some of these addresses through HaveIBeenPwned, a website that matches email addresses to see if they had been compromised in previous breaches, and found that some of the addresses in the alleged gravy dump were found in other significant breaches. I discovered that it was not included.
“Organizations whose sole mission is data collection and aggregation are undoubtedly attractive targets for threat actors, even though we don’t know how they gained initial access or ‘how did the hacker get in?’ It’s clear they breached security more than enough to affect this type of data,” Hammond told NBC News.
Baptiste Robert, CEO of French privacy and location data company Predicta Labs, downloaded the sample data and the leaked material tracks people in about 30 million locations around the world. “This appears to be the case,” he told NBC News. This data does not explicitly identify individuals by name or contain any other identifying information, but instead follows the data broker industry’s practice of assigning individuals a series of numbers as pseudonyms, he said. said.
Data brokers claim that using pseudonyms in advertising IDs protects privacy, but researchers have repeatedly shown that location data can make it easier to identify individuals. . For example, if data tracking a particular cell phone shows someone who spends most nights at a particular address, that person may own or rent that home.
The United States lacks a comprehensive federal privacy law, even though privacy advocates and even the Biden administration have called for one. Last year, researchers at Duke University discovered that U.S. military personnel’s data, including location data, was being widely sold by data brokers.
In 2023, the Office of the Director of National Intelligence announced that U.S. intelligence agencies, which have restrictions on direct surveillance of Americans, often purchase data about Americans from brokers, with little guidelines or oversight in the process. I discovered it.
