A massive data location broker firm has been hacked, putting the sensitive information of millions at risk.
On January 4, 2025, Gravy Analytics, a subsidiary of Unacast, discovered that someone had unauthorized access to its AWS cloud storage area according to Unacast in an official non-compliance report to the Norwegian Data Protection Authority.
Gravy Analytics is a US data location broker holding the data of millions of iPhone and Android users around the world.
As a result of the hack, on January 14, 2025, the Federal Trade Commission (FTC) settled on an order prohibiting Gravy Analytics and its subsidiary Venntel from unlawfully tracking and selling sensitive location data from users.
This order also prohibits the company from tracking or selling data about consumers’ visits to health-related locations and places of worship.
Data to Track People's Precise Movements
Currently, the identity of the hackers who breached Gravy Analytics remains unknown.
However, the hacker responsible for the hack has claimed that the compromised information included smartphone users' location data that could show peoples' precise movements, reported TechRadar.
404 Media first reported a potential data breach against the American broker on January 7, 2025, after a hacker threatened to publish the stolen data publicly on a forum.
According to Google Translation, Tobias Judin, section head at the Norwegian Data Protection Authority, said on Thursday that there is reason to be concerned. “This is one of the things we fear most.”
A screenshot published by the hackers depicted an unreleased dataset comprising information from at least 146K Norwegian mobile phone devices.
This potentially stolen data likely extends beyond Norwegian devices, potentially including more than three million records of people's movements across Europe.
Also Read: What Is Data Analysis? Techniques and Tools Explored…
Personal Data Under Active Investigation
"The unauthorised person obtained some files, but the content of these files and whether they contained personal data is under active investigation,” Unacast said in the report.
“Gravy Analytics is informing the Norwegian Data Protection Authority at this time to make you aware of the incident, as speculation about the incident has begun to arise in social media and in editorial media," it added.
The report has confirmed that the hackers gained unauthorised access to Gravy Analytics’ cloud services.
The company allegedly became aware of the breach in their own systems when the hacker contacted them.
In the final order by FTC, “Gravy Analytics and Venntel will be prohibited from selling, disclosing, or using sensitive location data except in limited circumstances involving national security or law enforcement.”
“The companies must also establish a sensitive data location program,” added FTC.
Also Read: Green Bay Packers Data Breach Risks Credit Card Data of 8.5K Customers
