Data broker’s location data breach threatens privacy of millions

A hack and data breach at location data broker Gravy Analytics threatens the privacy of millions of people around the world, whose smartphone apps inadvertently exposed their location data collected by the data giant.

The full scope of the data breach is not yet known, but the alleged hacker has already released a large sample of location data from top consumer phone apps — including fitness, health, dating, and public transit apps, as well as popular games. The data represents tens of millions of location data points where people live, work, and move between.

News of the hack broke last weekend after a hacker posted screenshots of location data on a Russian-language cybercrime forum, claiming to have stolen several terabytes of consumer data from Gravy Analytics. Independent news outlet 404 media I first reported the forum post alleging the apparent breach, which claimed to include historical location data for millions of smartphones.

Norwegian broadcaster NRK reported on January 11 that Unacast, the parent company of Gravy Analytics, The violation was revealed With the country’s data protection authorities as required by its law.

Unacast, founded in Norway in 2004, has merged with Gravy Analytics In 2023 To create what it described at the time as “one of the largest” consumer location datasets. Gravy Analytics claims to track over a billion devices around the world every day.

in Data breach notification Unacast, which filed an application with Norway, said it determined on Jan. 4 that a hacker had obtained files from its Amazon cloud environment through a “misappropriated key.” Unacast said it learned of the breach through communication with the hacker, but the company did not provide further details. The company said its operations were halted for a short period after the hack.

Unacast said in the notice that it had also reported the breach to UK data protection authorities. A spokesperson for the UK Information Commissioner’s Office did not immediately comment on Monday when contacted by TechCrunch.

Unacast CEOs Jeff White and Thomas Wahl did not return multiple emails from TechCrunch this week seeking comment. In an unattributed statement from a public Gravy Analytics email account Submitted to TechCrunch On Sunday, Unacast acknowledged the breach, saying the “investigation remains ongoing.”

The Gravy Analytics website was still down at the time of writing. Several other domains associated with Gravy Analytics don’t appear to be working either, according to checks conducted by TechCrunch over the past week.

30 million site data points have been leaked so far

Data privacy advocates have long warned of the risks that data brokers pose to individuals’ privacy and national security. Researchers with access to the sample of Gravy Analytics website data posted by the hacker say the information could be used to track people’s recent whereabouts on a large scale.

Baptiste Robert, CEO of digital security company Predicta Lab, who obtained a copy of the leaked data set, said in a blog post: Thread on X The dataset contains more than 30 million location data points. These included devices located in the White House in Washington, D.C.; The Kremlin in Moscow; Vatican City; And military bases around the world. One of the maps shared by Robert Show location data to Tinder users All over the UK. in Another postRobert demonstrated that it is possible to identify individuals likely to serve as military personnel by overlapping stolen location data with the locations of known Russian military facilities.

Robert warned that the data also allows for the easy anonymization of ordinary individuals; In one example, the data tracked a person as he traveled from New York to his home in Tennessee. Forbes Reported the risks The dataset contains LGBTQ+ users, whose location data from certain apps can identify them in countries that criminalize homosexuality.

News of the violation comes weeks later The Federal Trade Commission banned it Gravy Analytics and its subsidiary Venntel, which provides location data to government agencies and law enforcement, collect and sell Americans’ location data without consumers’ consent. The Federal Trade Commission accused the company of illegally tracking millions of people to sensitive locations, such as healthcare clinics and military bases.

Location data exploited from ad networks

Gravy Analytics derives much of its site data from A process called real-time biddingan essential part of the online advertising industry that determines during a millisecond auction which advertiser can show their ad on your device.

During this near-real-time auction, all bidding advertisers can see some information about your device, such as the manufacturer and model type, its IP addresses (which can be used to infer a person’s approximate location), and in some cases, more precise location data if granted. By the application user, along with other technical factors that help determine which ad will be shown to the user.

But as a byproduct of this process, any advertiser bidding — or anyone monitoring these auctions closely — can also access a set of so-called “bidding stream” data that contains device information. Data brokers, including those who sell data to governments, can combine that aggregated information with other data about those individuals from other sources to paint a detailed picture of someone’s life and whereabouts.

Website data analytics by security researchers, Including Robert from Predicta Labreveals thousands of ad serving apps that have, often inadvertently, shared bidding flow data with data brokers.

The dataset contains data sourced from popular Android and iPhone apps, including FlightRadar, Grindr and Tinder – all of which have denied any direct commercial links with Gravy Analytics but have acknowledged displaying ads. But by the nature of how the advertising industry works, it’s possible for ad serving apps to collect their users’ data without them explicitly knowing or consenting to it.

like Mentioned by 404 mediaIt’s unclear how Gravy Analytics derived its vast collections of location data, such as whether the company collected the data itself or from other data brokers. 404 Media found that large amounts of location data were inferred from the device owner’s IP address, which was geolocated to approximate their true location, rather than relying on the device owner allowing the app to access the device’s precise GPS coordinates.

What you can do to prevent ad monitoring

per Digital rights group Electronic Frontier FoundationAd auctions are conducted on almost every website, but there are measures you can take to protect yourself from ad monitoring.

Using an ad blocker — or mobile-level content blocker — can be a tool Effective defense Against advertising monitoring by preventing advertising code on websites from loading in the user’s browser to begin with.

Android and iPhone devices also have device-level features that make it harder for advertisers to track you between apps or across the web, and link your pseudonymous device data to your real identity. The EFF has too Good guide About how to check these device settings.

If you have an Apple device, you can go to the Tracking options in your settings and Turn off the setting to track app requests. This nullifies your device’s unique identifier, making it indistinguishable from any other device.

“If you disable app tracking, your data will not be shared,” Robert told TechCrunch.

Android users should go to the “Privacy” section and then the “Ads” section in their phone settings. If the option is available, you can delete your advertising ID to prevent any app on your phone from accessing your device’s unique identifier in the future. People who don’t have this setting should reset their advertising IDs on a regular basis.

Preventing apps from accessing your precise location when it’s not required will also help reduce your data footprint.