A U.S. company that collects and sells location data has reportedly been targeted in a cyberattack by Russian hackers. Gravy Analytics, a firm that tracks smartphone users’ movements, is investigating unauthorized access to its cloud storage, according to a notification sent to Norway’s data protection authority.
Alleged Cyberattack and Data Leak
Cybersecurity researchers and a hacker on a cybercrime forum have claimed that sensitive data from Gravy Analytics was compromised. The hacker posted screenshots and uploaded approximately 17 terabytes of data, allegedly obtained in the breach. While the hacker later removed the files, cybersecurity analysts who examined them suggest the information is authentic.
John Hammond, a researcher at the cybersecurity company Huntress, analyzed the leaked data and found a database containing over 300,000 email addresses. Additionally, Baptiste Robert, CEO of privacy-focused firm Predicta Lab, stated that the data appears to include location records from around 30 million locations worldwide.
Federal Trade Commission’s Investigation
The cyberattack follows recent scrutiny of Gravy Analytics by the Federal Trade Commission (FTC). In December 2024, the FTC accused the company and its subsidiary, Venntel, of unlawfully collecting and selling Americans’ location data without proper consent. The complaint alleges that some tracked individuals visited sensitive locations such as government buildings, health clinics, and places of worship.
Industry and Privacy Concerns
Gravy Analytics has claimed to collect, process, and curate more than 17 billion signals from smartphones daily. Its subsidiary, Venntel, has reportedly used the data to analyze individuals’ movement patterns, identifying locations such as residences, workplaces, and frequented sites.
The location data industry has drawn criticism over privacy concerns, with researchers warning that even pseudonymized data—where users are assigned unique identifiers instead of names—can be used to infer identities. The FTC’s complaint underscores broader concerns about how location data is collected, used, and sold without users’ explicit awareness.
Company Response and Ongoing Investigation
Gravy Analytics’ website has been inaccessible since early January, and attempts to contact the company have been unsuccessful. The company has not publicly commented on the incident but acknowledged in its notice to Norwegian authorities that it detected unauthorized access to its Amazon Web Services cloud storage.
The United States currently lacks comprehensive federal privacy legislation regulating the sale and collection of location data, though privacy advocates and policymakers have called for increased oversight. Previous reports have indicated that U.S. government agencies have purchased location data from private firms, raising concerns about regulatory gaps and data security risks.
The investigation into the breach is ongoing, with cybersecurity experts analyzing the extent of the leaked data and its potential impact.
Catch the latest supply chain news at The Supply Chain Report. Learn more about international trade at ADAMftd.com with free tools.
#Cybersecurity #DataBreach #CyberAttack #GravyAnalytics #LocationData #PrivacyThreat #USSecurity
