A company that tracks and sells Americans’ location data has seemingly been hacked

One of the largest companies that tracks Americans’ location through smartphone data has been hacked by Russian cybercriminals in exchange for ransom, according to two cybersecurity researchers, a person who has posted a massive trove of allegedly hacked files and a notice the company sent to the Norwegian government.

The incident would be one of the largest known breaches of a handful of controversial U.S. companies that sell individuals’ location data, a gold mine for advertisers as it can be used to extensively map a person’s life, usually without their knowledge.

The company, Gravy Analytics, and its subsidiary, Venntel, were accused last month by the Federal Trade Commission of illegally collecting and selling Americans’ location data without their knowledge or obtaining proper legal consent. Some of the people Gravy tracked were monitored going into sensitive locations like government buildings, health clinics and places of worship, the FTC said.

Smartphones create significant data from both how they connect to cell towers and wireless internet providers, as well as through apps, particularly third-party apps that require location data. The ubiquity of smartphones in everyday life has spurred an industry of shadowy companies that buy, package and sell data. While that data is usually advertised to marketers, it’s also sold to governments.

Gravy’s website has been down since at least Tuesday. Emails to it, Venntel and Gravy’s parent company, Unacast, could not be delivered. Several executives at the company contacted by NBC News did not respond to a request for comment.

While the company has not made any public American notice about the alleged breach, Norwegian news outlet NRK has obtained and published a private notification of the breach, that Gravy and Unacast sent to Norway’s data protection authority. Unacast maintains an office in Norway.

Gravy noticed unauthorized access to its Amazon Web Services cloud storage on Monday, it said in the notice, and is still investigating it.

Gravy has claimed to “collect, process and curate” more than 17 billion signals from people’s smartphones every day, according to the FTC’s complaint.

Venntel sells Gravy data on people’s locations to help establish what the online advertising industry calls a “pattern of life.” The companies’ marketing materials give an example of identifying a target’s “bed down location, work location, and visits to other USG [United States Government] buildings,” and can show where people are: “home, gym, evening school, etc,” the complaint says.

On Saturday, a hacker on a popular Russian cybercrime forum called XSS claimed to have hacked Gravy. It posted screenshots and uploaded 17 terabytes of information, a massive trove, as evidence. Writing in Russian, the hacker claimed they would upload more if Gravy didn’t pay an unspecified ransom.

READ MORE HERE

Share This Story, Choose Your Platform!