Major location data broker reports hack to Norwegian authorities
A major player in the location data broker market has confirmed to Norway’s Data Protection Authority that it was breached by a hacker who obtained an unknown number of files.
The Norwegian news outlet NRK on Friday published a copy of the breach notice sent to Norwegian authorities by the location data broker Unacast, the parent company of Gravy Analytics. It is unclear when the breach was reported.
While the breach report contains few details of the incident, hackers have claimed on a Russian cybercrime forum to have stolen a vast trove of data. The news outlet 404 Media was the first publication to reveal news of the breach.
According to the outlet, data showing historical locations for smartphones belonging to millions of users was obtained in the breach.
Gravy reported to the Norwegian data authority that the hacker accessed its Amazon Web Services (AWS) cloud storage environment through a “misappropriated access key.”
The hacker notified the company of the breach on January 4, Gravy reported.
“The unauthorized person obtained some files, but the contents of those files and whether they contain personal data remains under investigation,” the breach report says. If personal data was obtained it is ‘likely associated with users of third-party services that supply this data to Gravy Analytics,’” the breach report says.
The hacked data reportedly appears to have originated in thousands of apps Gravy drew data from, including Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps.
The data broker says it has now secured its AWS environment.
Gravy owns Venntel, a data broker that provides the U.S. government with location data.
In December, the Federal Trade Commission (FTC) announced that Gravy and Venntel violated the FTC Act by unfairly selling non-anonymized consumer location data. The FTC also alleged the firms used that data without obtaining “verifiable user consent for commercial and government uses.”
Gravy Analytics continued to gather and use consumers’ location data even after realizing it did not give “informed consent” for the collection, the FTC said.
The two companies advertise that they collect over 17 billion signals from roughly a billion smartphones daily, according to the FTC.
The FTC order was notable because it set new limits on law enforcement usage of the companies’ location data for investigative purposes. Law enforcement and intelligence agencies have acknowledged that they obtain data from brokers that historically would only have been available with a warrant.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.