Gravy Analytics Data Breach: A Growing Concern for User Privacy
In a troubling development, data broker Gravy Analytics has suffered a significant cyber breach, putting the location data of millions of iOS and Android users in jeopardy, as highlighted by TechCrunch. The incident came to light when Gravy Analytics’ parent company, Unacast, informed the public about the breach earlier this month through an official disclosure document [PDF]. They reported that an unauthorized individual had infiltrated their AWS cloud storage environment using a “stolen access key.”
The Nature of Compromised Data
Initial assessments indicate that various files were accessed in this breach, particularly those which are suspected to include personal information gathered from individuals utilizing third-party services associated with Gravy Analytics. Hackers have reportedly claimed possession of sensitive customer lists and granular location data from smartphones that detail individual movements; it is believed that millions may be impacted. Disturbingly, some portions of this historical location data have even surfaced on exclusive online platforms.
Scale and Impact of Information Tracking
Gravy Analytics purportedly monitors over one billion devices globally each day. Security experts who examined samples from the compromised dataset confirmed its potential to expose recent whereabouts without any form of anonymization.
Federal Earmarks Against Privacy Violations
This situation is exacerbated by previous actions taken against Gravy Analytics by the United States Federal Trade Commission (FTC). In December prior to this breach, the FTC barred both Gravy Analytics and its subsidiary Venntel from selling or utilizing sensitive geolocation information across any offerings. The commission emphasized that these companies posed significant privacy risks—potentially revealing private details about health status, political affiliations, and religious observances—thereby exposing individuals to discrimination or violence based on their information.
The FTC’s directive mandated all historic geolocation data be erased along with any related products developed using consumer-collected insights; however, it seems too little too late as evidence suggests breaches may have already occurred prior to enforcement.
Data Collection Practices Under Scrutiny
The collection method employed by Gravy Analytics involves real-time advertisement bidding processes where competing companies can access user IP addresses alongside more precise location details if permitted. Interestingly enough, their database includes geographic information sourced from popular iPhone applications like FlightRadar, Grindr, and Tinder—even though these apps did not directly engage with Gravy as partners; instead user-location insights were captured via advertising frameworks integrated within those applications.
User Protections on Apple Devices
Baptiste Robert—the CEO of Predicta Lab—has stated in discussions with TechCrunch that users who disable app tracking settings on their iPhones are insulated from having their personal data compromised during such incidents.