Russian cybercriminals have hacked one of the largest companies that tracks Americans’ location through smartphone data in exchange for ransom, according to two cybersecurity researchers, a person who has posted a massive trove of allegedly hacked files and a notice the company sent to the Norwegian government.
The incident would be one of the largest known breaches of a handful of controversial U.S. companies that sell people’s location data, a gold mine for advertisers because it can be used to extensively map people’s lives, usually without their knowledge.
The Federal Trade Commission last month accused the company, Gravy Analytics, and its subsidiary, Venntel, of illegally collecting and selling Americans’ location data without their knowledge or obtaining proper legal consent. Some of the people Gravy tracked were monitored going into sensitive locations like government buildings, health clinics and places of worship, the FTC said.
Smartphones create significant data both from how they connect to cell towers and wireless internet providers and through apps, particularly third-party apps that require location data. The ubiquity of smartphones in everyday life has spurred an industry of shadowy companies that buy, package and sell data. While the data is usually advertised to marketers, it’s also sold to governments.
Gravy’s website has been down since at least Tuesday. Emails to it, Venntel and Gravy’s parent company, Unacast, couldn’t be delivered. Several executives at the company didn’t respond to requests for comment.
While the company has not made any public American notice about the alleged breach, Norwegian state broadcaster NRK obtained and published a private notification of the breach that Gravy and Unacast sent to Norway's data protection authority. Unacast maintains an office in Norway.
Gravy noticed unauthorized access to its Amazon Web Services cloud storage Monday, it said in the notice, and is still investigating it.
Gravy has claimed to “collect, process and curate” more than 17 billion signals from people’s smartphones every day, according to the FTC’s complaint.
Venntel sells Gravy data about people’s locations to help establish what the online advertising industry calls “patterns of life.” The companies’ marketing materials give an example of identifying a target’s “bed down location, work location, and visits to other USG [United States Government] buildings,” and it can show where people are: “home, gym, evening school, etc,” the complaint says.
On Saturday, a hacker on a popular Russian cybercrime forum called XSS claimed to have hacked Gravy. It posted screenshots and uploaded 17 terabytes of information, a massive trove, as evidence. Writing in Russian, the hacker threatened to upload more if Gravy didn’t pay an unspecified ransom.
The files have since been removed, but not before they were downloaded and shared among cybersecurity researchers, two of whom analyzed them and said they found them most likely authentic.
John Hammond, a researcher at the cybersecurity company Huntress, told NBC News that sorting through the data he found a database of more than 300,000 people’s email addresses. NBC News ran some of those addresses through HaveIBeenPwned, a website that cross-checks email addresses to see whether they have been exposed in previous breaches, and found that some of the addresses haven’t been part of other major breaches.
“Organizations whose sole mission is data collection and aggregation are undoubtedly going to be an attractive target for threat actors. While we don’t know their initial access method, or ‘how the hackers got in’, it is clear they compromised more than enough to make an impact with this kind of data,” Hammond wrote to NBC News.
Baptiste Robert, the CEO of the French privacy and location data company Predicta Lab, downloaded the sample data and told NBC News that the leaked material appears to show people tracked to around 30 million locations around the world. The data doesn’t explicitly identify people by name or include other identifying information; instead, it follows the data broker industry practice of assigning people strings of numbers as pseudonyms, he said.
Though data brokers claim that using advertising ID pseudonyms protects people’s privacy, researchers have repeatedly shown that location data can make it easy to identify them. If data tracking a particular cellphone shows a person who spends most nights at a particular address, for example, it’s likely that person owns or rents that home.
The United States has no comprehensive federal privacy law, even though privacy advocates and the Biden administration having called for one. Last year, Duke University researchers found that data brokers widely sell U.S. service members’ data, including location data.
In 2023, the National Intelligence Director’s Office found that U.S. intelligence agencies, which have restrictions on surveilling Americans directly, often purchase data about Americans from brokers and have few guidelines or oversight in that process.
