Gravy Analytics, the parent company of Venntel, is facing intense scrutiny following a significant data breach. Hackers have claimed responsibility for stealing sensitive customer lists, detailed industry information, and even location data harvested from smartphones, which shows individuals' precise movements. They have threatened to publish this data, marking what many see as a crisis moment for the location data industry.
For years, companies like Gravy have gathered location information from smartphones through apps and advertising networks, selling it to various clients, including branches of the U.S. government such as the Department of Homeland Security (DHS), the Internal Revenue Service (IRS), and the FBI. This collection of data has now become immensely appealing to hackers.
“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high-risk individuals and organizations,” cautioned Zach Edwards, senior threat analyst at cybersecurity firm Silent Push. He emphasized, “This may be the first major breach of bulk location data providers, but it won't be the last.”
The hackers communicated via two Gravy-related websites, stating, “Personal data of millions users is affected.” Screenshots shared on Russian cybercrime forum XSS confirmed these claims and warned Gravy they had 24 hours to respond before they would begin releasing this sensitive data.
The samples of stolen information reportedly include exact latitude and longitude coordinates tied to user activity. Some data points even specify countries from which the information was collected, encompassing locations as diverse as Mexico, Morocco, the Netherlands, North Korea, and Pakistan, alongside mention of the “Palestinian State (proposed).” This diverse geographical scope underlines the extent of Gravy's data harvesting.
Evidence shared by the hackers also indicates this breach goes beyond mere customer lists. They displayed what appeared to be access to historical smartphone location data, comprising precise timestamps and coordinates. One alarming file labeled “LIKELY_DRIVING” suggested the type of data being tracked. Other screenshots implied significant access to Gravy’s systems, including root access on associated servers and control over domains and data stored on Amazon S3 buckets.
The ramifications of this breach extend beyond individual privacy concerns; they implicate governmental practices, particularly the use of such data for immigration enforcement and sensitive operations. Earlier reports have illustrated how government contractors like Babel Street could utilize Gravy's data for tracking visitors to abortion clinics, among many other applications.
Edwards elaborated, “For years, this data has been sold to corporate and government interests but it's never been widely available to all the threat actors targeting Western users. This type of data has been used to track visits to abortion clinics, sensitive government locations, and locations which could identify sensitive protected qualities of people like their sexual orientation.”
He reiterated the risks, pointing out how individuals' daily activities could be easily traced. “This data could tell a threat actor where you take your kids to school, where you work, and where you spend leisure time.”
Currently, Gravy’s website is down, redirecting to Unacast, the company which acquired Gravy earlier this year. Attempts to obtain comments from Unacast executives have gone unanswered, exacerbated concerns about the breach's fallout.
Given the current environment of rising privacy concerns and the increasing threat of cyberattacks targeting sensitive information, many are urging the U.S. Congress to take immediate action. Edwards concluded, “It's long overdue for Congress to pass a comprehensive federal privacy bill to safeguard the collection of this type of sensitive data.”