Russian hackers breach American location tracking company
- Russian cybercriminals hacked Gravy Analytics, a major company tracking American location data through smartphones, leading to the unauthorized access of millions' personal information.
- An alleged hacker posted a trove of stolen data online, threatening further exposure unless a ransom was paid, which has raised questions regarding whether the company complied.
- The incident underscores significant privacy concerns and the urgent need for comprehensive data protection regulations in the U.S.
In January 2020, a significant data breach occurred involving Gravy Analytics, a leading company based in the United States that tracks individuals' location information through smartphone data. The breach, attributed to Russian cybercriminals, marked one of the largest known incidents involving a data broker that sells location information to advertisers and other entities. Following unauthorized access to its Amazon Web Services cloud storage, Gravy Analytics discovered that the security of millions of individuals' location data had been compromised. An alleged hacker claimed responsibility and posted a gigabyte of stolen data on a Russian-language cybercrime forum, threatening to release more unless a ransom was paid. This post has since been removed, raising suspicion that Gravy Analytics may have complied with the hacker's demands. Meanwhile, cybersecurity experts who accessed the information before its removal analyzed the files, asserting the authenticity of the hack. The documents reportedly contained a database of over 300,000 email addresses, of which some were not previously known to be involved in any other data breaches. The incident highlights the vulnerabilities associated with data aggregation and the risks faced by organizations that collect and sell location information. Gravy’s parent company, Unacast, which also operates in Norway, has not released any public statements in the United States about the breach. However, it was reported that they disclosed the breach to Norway’s data protection authorities in compliance with local law. This incident not only poses a threat to individuals whose data may have been exposed but also raises broader concerns regarding privacy regulations in the United States, which still lacks a comprehensive federal privacy framework despite increasing calls for such legislation. Additionally, the breach emphasizes the ongoing issues related to cybersecurity threats targeting companies that manage sensitive personal data. The ramifications of this incident could reverberate through the cybersecurity community and challenge the credibility of data brokers who profit from selling individuals’ location data without explicit consent, as consumers become increasingly aware of their privacy rights.