One of the largest companies that tracks Americans’ location through smartphone data has been hacked by Russian cybercriminals in exchange for ransom, according to two cybersecurity researchers and a person who has posted a massive trove of allegedly hacked files.
The incident would be one of the largest known breaches of a handful of controversial U.S. companies that sell individuals’ location data, a gold mine for advertisers as it can be used to extensively map a person’s life, usually without their knowledge.
The company, Gravy Analytics, and its subsidiary, Venntel, were accused last month by the Federal Trade Commission of illegally collecting and selling Americans’ location data without their knowledge or obtaining proper legal consent. Some of the people Gravy tracked were monitored going into sensitive locations like government buildings, health clinics and places of worship, the FTC said.
Smartphones create significant data from both how they connect to cell towers and wireless internet providers, as well as through apps, particularly third-party apps that require location data. The ubiquity of smartphones in everyday life has spurred an industry of shadowy companies that buy, package and sell data. While that data is usually advertised to marketers, it’s also sold to governments.
Gravy’s website has been down since at least Tuesday. Emails to it, Venntel and Gravy’s parent company, Unacast, could not be delivered. Several executives at the company contacted by NBC News did not respond to a request for comment.
Gravy has claimed to “collect, process and curate” more than 17 billion signals from people’s smartphones every day, according to the FTC’s complaint.
Venntel sells Gravy data on people’s locations to help establish what the online advertising industry calls a “pattern of life.” The companies’ marketing materials give an example of identifying a target’s “bed down location, work location, and visits to other USG [United States Government] buildings,” and can show where people are: “home, gym, evening school, etc,” the complaint says.
On Saturday, a hacker on a popular Russian cybercrime forum called XSS claimed to have hacked Gravy. It posted screenshots and uploaded 17 terabytes of information, a massive trove, as evidence. Writing in Russian, the hacker claimed they would upload more if Gravy didn’t pay an unspecified ransom.
The files have since been removed, but not before they were downloaded and shared among cybersecurity researchers, two of whom analyzed them and said they found them likely authentic.
John Hammond, a researcher at the cybersecurity company Huntress, told NBC News that sorting through the data, he found a database of more than 300,000 individuals’ email addresses. NBC News ran some of those addresses through HaveIBeenPwned, a website that cross-checks email addresses to see if they have been exposed in previous breaches, and found that some of the addresses in the alleged Gravy dump have not been part of other major breaches.
“Organizations whose sole mission is data collection and aggregation are undoubtedly going to be an attractive target for threat actors. While we don’t know their initial access method, or ‘how the hackers got in’, it is clear they compromised more than enough to make an impact with this kind of data,” Hammond told NBC News.
Baptiste Robert, the CEO of the French privacy and location data company Predicta Lab, downloaded the sample data and told NBC News that the leaked material appears to show people tracked to around 30 million locations around the world. The data does not explicitly identify people by name or contain other identifying information, but instead follows the data broker industry practice of assigning individuals a string of numbers as a pseudonym, he said.
Though data brokers claim that using advertising ID pseudonyms protects their privacy, researchers have repeatedly shown that location data can make it easy to identify individuals. If data tracking a particular cellphone shows a person who spends most of their nights at a particular address, for example, it’s likely that person owns or rents that home.
The U.S. has no comprehensive federal privacy law, despite privacy advocates and even the Biden administration having called for one. Last year, Duke University researchers found that U.S. service members’ data, including location data, is widely sold by data brokers.
In 2023, the Office of the Director of National Intelligence found that U.S. intelligence agencies, which have restrictions on surveilling Americans directly, often purchase data on Americans from brokers and have few guidelines or oversight in that process.
