Good gravy! A data breach at Gravy Analytics is threatening the privacy of millions whose smartphone apps revealed their location data.

According to TechCrunch (A breach of Gravy Analytics’ huge trove of location data threatens the privacy of millions, written by Zack Whittaker and available here), a hack and data breach at location data broker Gravy Analytics is threatening the privacy of millions of people around the world whose smartphone apps unwittingly revealed their location data collected by the data giant.

The full scale of the data breach isn’t yet known, but the alleged hacker has already published a large sample of location data from top consumer phone apps — including fitness and health, dating, and transit apps, as well as popular games. The data represents tens of millions of location data points of where people have been, live, work, and travel between.

News of the breach broke last weekend after a hacker posted screenshots of location data on a closed-access Russian language cybercrime forum, claiming they had stolen several terabytes of consumers’ data from Gravy Analytics. Independent news outlet 404 Media first reported the forum post alleging the apparent breach, which claimed to include the historical location data of millions of smartphones. 

Norwegian broadcaster NRK reported on January 11 that Unacast, the parent company of Gravy Analytics, disclosed the breach with the country’s data protection authorities as required under its law.

Unacast, founded in Norway in 2004, merged with Gravy Analytics in 2023 to create what it touted at the time as “one of the largest” collections of consumers’ location data. Gravy Analytics claims to track more than a billion devices around the world daily.

In its data breach notice filed with Norway, Unacast said it identified on January 4 that a hacker acquired files from its Amazon cloud environment through a “misappropriated key.” Unacast said it was made aware of the breach through communication with the hacker, but the company gave no further details. The company said its operations were briefly taken offline following the breach.

Baptiste Robert, the CEO of digital security firm Predicta Lab who obtained a copy of the leaked dataset, said in a thread on X that the dataset contained more than 30 million location data points. These included devices located at The White House in Washington, D.C.; the Kremlin in Moscow; Vatican City; and military bases around the world.

Robert warned that the data also allows for easy deanonymization of ordinary individuals; in one example, the data tracked a person as they traveled from New York to their home in Tennessee. Forbes reported about the dangers that the dataset has for LGBTQ+ users, whose location data derived from certain apps could identify them in countries that criminalize homosexuality.

News of the breach comes weeks after the Federal Trade Commission banned Gravy Analytics and its subsidiary Venntel, which provides location data to government agencies and law enforcement, from collecting and selling Americans’ location data without consumers’ consent. The FTC accused the company of unlawfully tracking millions of people to sensitive locations, like healthcare clinics and military bases.

The location data is being tapped from ad networks. The article discusses what you can do to prevent ad surveillance for both Android and Apple devices. I just did it on my iPhone. Maybe it will keep the hackers “off the gravy train” for my device, at least (sorry, I couldn’t resist!).

So, what do you think? Are you concerned about your location data being compromised as part of the Gravy Analytics hack? Please share any comments you might have or if you’d like to know more about a particular topic.

Image created using GPT-4o’s Image Creator Powered by DALL-E, using the term “robot chef pulling a spoon out of a pot of gravy”.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.