Rules Navigator

Gravy Analytics breach exposes sensitive location data of millions of users

The Google Maps Icon near their offices in the Google campus (Googleplex) in Silicon Valley.
Photo: Getty Images

Thomas Hyrkiel

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The FTC’s proposed order against the company requiring it to delete all historic data because of a lack of end user consent for its use comes too late to help those whose sensitive personal information is now potentially exposed.

The privacy of millions of people around the world has potentially been compromised by a hack and data breach at a company few will have heard of.

Gravy Analytics is a data broker that specialized in the gathering and selling of raw data tracking the location and movement of individuals. The company has claimed that it was processing billions of signals from approximately one billion individual devices on a daily basis. The data it compiled would then be sold to third parties.

By combining the captured data with other data sets the company or its clients could build up a detailed picture of individuals and their behavior, including sensitive, individually identifiable, personal information. This, of course, is hugely valuable to companies and their advertising and marketing functions in particular, but it also illustrates the potential seriousness of this data breach.

Parent company Unacast, which is based in Norway, uncovered the data breach on the January 4 and reported the incident to Datatilsynet, Norway’s Data Protection Authority. It has since also notified the UK’s ICO.

Hackers

According to the filing with Datatilsynet, a set of misappropriated access key gave hackers access to the company’s Amazon Web Services environment. This enabled the exfiltration of a large volume of data. It has been reported that the breach may involve up to 17 terabytes of data.

Worryingly, not many of those potentially affected will have heard of Gravy Analytics and may be oblivious to the fact that their privacy may have been compromised.

But there’s more.

According to a US Federal Trade Commission (FTC) complaint lodged against the company and its subsidiary Venntel in December 2024, at least some of the data the company collected, used and sold has been gathered without appropriate consent from end users.

The FTC’s complaint alleges that the companies failed to take reasonable steps to confirm that consent was appropriately obtained, but nevertheless continued to use the data. In some instances, location data was used by the companies even after they discovered that consent had not been obtained or given.

Geolocation data

Certainly the examples used to illustrate the FTC’s case show that end users are unlikely to have known or understood that their data gathered by apps such as Spotify, Grindr or Tinder was going to be used by a data broker and sold on to others.

And the FTC asserted that this “unauthorized collection, use, and sale of precise geolocation data is an unwarranted intrusion into consumer’s privacy” causing them “substantial injury.”

In addition, the FTC pointed out that the fact that the data is not anonymous once associated with persistent identifiers, which means that the “unauthorized disclosure of such sensitive characteristics puts individuals at significant risk of stigma, discrimination, physical violence, emotional distress, and other harms.”

That risk has just materialized in a massive way as a result of this hack.

, , , , , , , ,

You may also like