Gravy Analytics, a prominent location data broker, confirmed a security breach that compromised its cloud storage environment, potentially exposing millions of users’ data. The breach was discovered after a hacker accessed the company’s Amazon Web Services (AWS) cloud storage through a misappropriated access key. Gravy Analytics reported the breach to Norway’s Data Protection Authority, with the hacker notifying the company of the unauthorized access on January 4. Although the company acknowledged that some files were obtained, it remains unclear whether personal data was involved, and investigations are ongoing.
The stolen data is believed to have included historical location information from smartphones, which was gathered through thousands of apps that Gravy Analytics collaborates with. These apps include widely used platforms such as Tinder, Grindr, Candy Crush, and even more niche applications like those related to pregnancy tracking and religious content. Gravy Analytics has stated that the data could be linked to users of third-party services that supplied data to the company, but further analysis is needed to determine the full scope of the breach.
The company took swift action after the breach was detected:
The company took swift action after the breach was detected, securing its AWS environment to prevent further unauthorized access. However, the breach is significant as it involves data that is critical to Gravy Analytics’ business model. The firm had been previously involved in controversies over its practices of collecting non-anonymized consumer data without verifiable consent, leading to a Federal Trade Commission (FTC) investigation. The FTC’s investigation revealed that Gravy Analytics and its subsidiary, Venntel, were selling non-anonymized data to both commercial and government entities.
The incident underscores the growing concerns surrounding the location data brokerage industry, particularly with regard to the collection, sale, and use of consumer data. Gravy Analytics, which gathers over 17 billion signals daily from approximately one billion smartphones, had previously faced scrutiny over its data collection practices. The breach could have wider implications for the regulatory environment, especially as law enforcement and intelligence agencies have increasingly relied on location data for investigations, sometimes bypassing traditional warrant requirements.
.
Reference:
