Location Data Giant Gravy Analytics Breach

(Scroll down for my raw longer form thoughts)

What happened: Hackers claim to have breached Gravy Analytics, a major location data broker that sells smartphone tracking data to U.S. government agencies. This could be the first major breach of a location data aggregator, potentially exposing millions of people's precise movements and creating unprecedented privacy risks.

The big picture: The breach highlights the dangerous concentration of sensitive location data in private companies' hands. Gravy Analytics, through its subsidiary Venntel, has been selling bulk location data to military, DHS, IRS, and FBI - making it an attractive target for cybercriminals.

By the numbers:

• Millions of users' location data potentially exposed

• Data access dating back to 2018, hackers claim

• Multiple government agencies affected as customers

• Dozens of major corporate clients impacted, including Apple, Uber, and Equifax

How the breach happened:

1. Initial Access Unknown. Hack details:

• Hackers gained root access to Gravy's Ubuntu servers

• Compromised control over company domains

• Accessed Amazon S3 storage buckets containing bulk data

2. Data Compromised:

• Precise GPS coordinates of smartphone users

• Timestamped location histories

• Customer lists and industry intelligence

• Movement pattern classifications (e.g., "LIKELY_DRIVING")

3. Geographic Scope:

• Data from multiple countries including: • Mexico • Morocco • Netherlands • North Korea • Pakistan • Russia • United States

Between the lines: This breach comes just weeks after the FTC's sweeping action against Gravy and Venntel, banning them from selling sensitive location data except in limited national security cases.

Immediate Risks:

• De-anonymization of individuals

• Tracking of high-risk persons

• Exposure of sensitive locations (schools, clinics, government facilities)

Long-term Implications:

• Potential regulation of the location data industry

• Increased scrutiny of government data purchases

• Reassessment of privacy protection standards

What's next: Hackers have given Gravy Analytics 24 hours to respond before they begin publishing the data. The company's website is currently down.

Longer form thoughts:

We're witnessing the inevitable consequence of building an industry around mass surveillance without adequate safeguards. The location data industry has operated in a regulatory grey zone, collecting vast amounts of sensitive data through seemingly innocent apps and the advertising ecosystem.

In an announcement posted on Gravy’s own websites—screenshots of which surfaced on a Russian cybercrime forum—the hackers declared they had obtained a “massive amount” of sensitive information. Beyond details like internal customer lists and industry insights, the hackers say they grabbed the location data that pinpointed where people traveled and when. They’re now threatening to make it public if Gravy doesn’t respond within 24 hours.

If true, this hack spells out what privacy advocates have feared for ages: one breach can expose users’ precise movements to anyone interested enough to download or buy it on the dark web. “A location data broker like Gravy Analytics getting hacked is the nightmare scenario,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media. “If all this bulk location data ends up sold on underground markets, the risks of people being tracked, doxed, or otherwise harassed become astronomical.”

The stolen data reportedly includes latitude and longitude coordinates tied to exact timestamps, and the hackers claim they have data from countries around the globe—including Mexico, Morocco, the Netherlands, Pakistan, and even North Korea.

In the U.S., location data from companies like Gravy Analytics has been used by organizations ranging from law enforcement and military branches to private firms looking for marketing intelligence.

Gravy, along with its subsidiary Venntel, has been no stranger to controversy. The Federal Trade Commission (FTC) recently announced sweeping measures banning Gravy and Venntel from selling sensitive data—except in cases involving national security or law enforcement—while also demanding the deletion of all historic information.

The post from the hackers goes beyond location data, as they also flaunt root-level access to Gravy’s servers, control of its domains, and screenshots of Amazon S3 storage buckets that might contain even more data. So… completely owned.

One of the screenshots revealed a “users” file showing prominent names like Uber, Comcast, Apple, LexisNexis, and Equifax, as well as Babel Street—a government contractor previously reported to have sourced some location data from Gravy. It’s unclear how many companies have been impacted or what might happen if their contracts or data are exposed.

Some cybersecurity experts believe this could mark a turning point for the location data industry. The threat isn’t just potential identity theft or credit fraud. It’s about personal safety and the possibility of being followed, profiled, or harassed based on historical movements. “This type of data has been sold to corporate and government interests, but it’s never been widely available to all the threat actors who might want it,” Edwards said. “Now it could be.”

For now, Gravy’s main website is down. Typically, it redirects to Unacast, which acquired Gravy in 2023, though Unacast executives haven’t responded to requests for comment. As the hackers’ 24-hour ultimatum looms, experts warn that this may be just the start of a series of high-stakes breaches targeting the location data industry, putting millions of people’s private whereabouts up for grabs.

Here is a good run down of Gravy Analytics business from EFF: https://www.eff.org/deeplinks/2022/06/how-federal-government-buys-our-cell-phone-location-data

Matt’s raw thoughts:

Of course this happened. Data brokers have a huge target on their backs, and that’s usually just aggregates of PII that can be grabbed publicly. Still valuable in aggregate.

This? This is the result of an advertising industry gone mad. The desire and need to serve ads based on extreme context has led to our every move being tracked, not just across the web with cookies but also in the physical world since we all carry a super-powered tracking device in our pockets.

We’re also now seeing lawsuits about these advertisers listening in to our conversations whenever possible to target us better. I know anecdotally everyone I’ve talked to has had the experience of having a conversation IRL, not searching for anything related to what was talked about, and then still getting an ad for that thing within a day.

Imagine those systems being hacked next. Between that and China listening to all of our phone calls if they wanted, the systems we’ve designed to get a better pulse on our activities have proven they will be abused, not if but when. There is no such thing as a back door just for the “good guys” (the quotes doing some heavy lifting here). And there is no such thing as data being collected and only used in the way it was intended.

A while ago now, I used to talk about the Rugged Software movement, and there was a sort of oath we’d have developers say who went through training. A few lines from that oath stand out while thinking about this. I’ll leave you with this:

Stay safe,

MattJ