Gravy Analytics, a Virginia-based company whose name has no connection to the actual meaning of “gravy,” has recently found itself in the spotlight for all the wrong reasons. The firm, known for its location data services, has been hit by a data breach that could raise serious concerns over the security of user data for millions.
The company, which specializes in providing location analytics using smartphone data, appears to have fallen victim to a sophisticated cyberattack. This breach could potentially expose the location data of millions to hackers.
Gravy, a location data broker, is still investigating claims circulating on the dark web. As a hacker is reportedly selling a dataset containing information believed to have been stolen from Gravy, sparking worries among individuals and businesses whose location data may have been compromised.
Typically, businesses must obtain consent from smartphone users before tracking their location via apps. However, in practice, this rule is often overlooked, and the consent process is usually limited to search engines rather than being enforced across the web.
In this case, the hacker claims to have gained access to an Amazon storage bucket where Gravy Analytics stored its data. The hacker is now allegedly selling part of the compromised dataset, which raises red flags regarding privacy, data retention, and regulatory compliance.
For years, Gravy has collected data such as timestamps, GPS coordinates, and location histories, which was then merged with Unacast in 2023. Through its subsidiary Venttel, Gravy sold information about smartphone users’ visits to specific venues, neighborhoods, and zip codes, often to entities like law enforcement agencies (FBI, IRS, DHS) as well as marketing and advertising firms, all of whom seek detailed location insights.
The potential ramifications are concerning. If the stolen data includes smartphone usage history across various locations, it could jeopardize individuals’ privacy. Worse, if the dataset contains information about high-profile individuals, their whereabouts and activities could easily be deduced, posing significant security risks—both physical and virtual.
That said, the hacker’s claims have yet to be verified. It’s not uncommon for individuals or groups on the dark web to make exaggerated or false claims about hacking large firms, attempting to gain attention by falsely taking credit for major data breaches. As such, while the situation is serious, it remains unclear whether the breach is as extensive as reported.
Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group “Information Security Community”!