Last week, major location data broker Gravy Analytics revealed a data breach which may have resulted in the theft of precise location data of millions of people, information TechCrunch. That appears to include data from popular mobile games like candy crushas well as dating apps, pregnancy tracking apps, and more, such as 404 Media wrote on Thursday, following his report on the violation two days before.
Baptiste Robert, CEO of digital security company Predicta Lab, said in a <a target="_blank" href="https://x.com/fs0c131y/status/1876975966334964076″>Wednesday Post Series that the small sample data set posted on a Russian forum contained data from “tens of millions of data points around the world” and <a target="_blank" href="https://x.com/fs0c131y/status/1876978615994204334″>including “Sensitive locations like the White House, the Kremlin, the Vatican, military bases and more.” As TechCrunch gradesThe sample alone contained more than 30 million locations.
Gravy said in his disclosure to the Norwegian Data Protection Authority which “identified unauthorized access to its AWS cloud storage environment” on January 4. In the disclosure it says it is still investigating how long the hackers had access to its cloud environment and whether the attack “constitutes a reportable personal data breach.” As for what or who was affected, the company writes:
Gravy Analytics is working diligently to determine the scope of the incident and the nature of the information involved. Preliminary results indicate that an unauthorized person obtained certain files that could contain personal data. These are currently under analysis. If it is determined that personal data is involved, that personal data will likely be associated with users of third-party services that provide this data to Gravy Analytics.
Gravy Analytics was one of two data brokers targeted last month in a proposed FTC order prohibiting it from “selling, disclosing, or using sensitive location data in any product or service.” At the time, the FTC wrote that its subsidiary, Venntel, collected app data and sold access to that data to companies or government agencies, including the IRS, DEA, FBI and ICE.
