Massive Data Breach at Gravy Analytics Threatens Millions' Privacy
A recent hack and data breach at Gravy Analytics, a major location data broker, is sparking significant privacy concerns as it reveals the vulnerability of millions worldwide whose smartphone data may have been exposed. The incident underscores the precariousness of personal data security in an age dominated by digital footprints.
While the complete impact of the breach remains uncertain, a substantial sample of stolen location data sourced from a variety of consumer apps—ranging from health and fitness to dating, as well as transit apps and popular games—has already been publicly disclosed by the alleged hacker. This data encompasses tens of millions of points mapping users' locations, offering insights into their residence, work, and travel routes.
On a Russian cybercrime forum, the hacker reportedly boasted about exfiltrating several terabytes of consumer data from Gravy Analytics. The breach was initially reported by an independent news outlet, which highlighted that the leaked data seemingly includes historical location records from millions of smartphones.
Norwegian broadcaster NRK confirmed that Unacast, the parent company of Gravy Analytics, reported the breach to Norway's data protection authorities as mandated by the law. Unacast, which merged with Gravy Analytics in 2023 to become a key player in the location data sector, had previously claimed to track over a billion devices globally.
30 Million Location Data Points Leaked
The breach has reignited concerns among data privacy advocates about the risks posed by data brokers to individual privacy and national security. Baptiste Robert, CEO of Predicta Lab—who accessed the leaked dataset—stated that it contains more than 30 million location data points, including sensitive areas like The White House and military bases. One analysis revealed Tinder user data across the United Kingdom, while another illustrated potential identification of military personnel by cross-referencing location data with known Russian military sites.
"The data allows for easy deanonymization of individuals," Robert asserted, warning about the potential exposure for LGBTQ+ users identified in countries where homosexuality is criminalized.
Image Credits: Baptiste Robert / X
This breach follows closely on the heels of the Federal Trade Commission's recent actions against Gravy Analytics and its subsidiary, Venntel, prohibiting the companies from collecting and selling Americans' location data without explicit consent. The FTC accused these entities of unlawfully surveilling millions of people across sensitive sites.
Ad Networks and Location Data Collection
Gravy Analytics accumulates much of its data from real-time bidding within the ad industry. This process involves advertisers receiving brief insights into user's devices during milliseconds-long auctions, sometimes revealing location data if permissions are granted. Such information can then be gathered by data brokers and merged with external sources to profile individuals.
Security specialists, including Predicta Lab's Robert, found many apps unknowingly share bidstream data with brokers, encompassing data from apps like FlightRadar, Grindr, and Tinder. Despite these companies denying any direct engagement with Gravy Analytics, the structure of ad delivery allows user data to be transmitted without explicit approval.
How to Protect Against Ad Surveillance
There are steps users can take to safeguard their personal data. Digital rights groups suggest employing ad-blockers or mobile content blockers to curb ad surveillance. Both Android and iOS offer settings to minimize tracking, such as disabling app tracking on Apple devices or resetting advertising IDs on Android.
Preventing apps from accessing precise location data when unnecessary can also mitigate exposure. Adjusting these settings can help maintain privacy in an environment where personal data is increasingly commodified.