Data Broker Discloses A Major Breach Of App User Data

Uploaded on 2025-01-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A subsidiary of a leading US location data broker, Unacast, has informed the Norwegian national Data Protection Authority, Datatilsynet, that it has been as breached is a severe incident. 

According to reports, the hack might have resulted in the theft of precise location data for millions of smartphone users. 

The subsidiary, named Gravy Analytics, told Datatilsynet that a  hacker accessed its Amazon Web Services (AWS) cloud storage environment. In its incident  report, Datatilsynet says that the breach involved the theft of information from a Gravy Analytics web server using a "misappropriated" key.  

While the breach report contains only a few details of the incident, hackers have claimed on a Russian cyber crime forum to have stolen a vast amount of data.  “The unauthorised person obtained some files, but the contents of those files and whether they contain personal data remains under investigation,” the breach report says.  If personal data was obtained it is ‘likely associated with users of third-party services that supply this data to Gravy Analytics,’ Datatilsynet's  report says.  

The hacked data appears to have originated in thousands of apps that Gravy Analytics drew data from, including Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps. A preliminary investigation showed that some of the stolen files "could contain personal data."

Unacast also owns Venntel, a data broker that also provides the US government with location data. In December 2024 the Federal Trade Commission (FTC) ruled that Gravy Analytics and Venntel violated the FTC Act by unfairly selling non-anonymised consumer location data. The FTC also alleged the firms used that data without obtaining “verifiable user consent for commercial and government uses.”  

Gravy Analytics apparently continued to gather and use consumers’ location data even after realising it did not give “informed consent” for the collection, the FTC said.  

The FTC order is notable because it sets new limits on law enforcement usage of the companies’ location data for investigative purposes. Law enforcement and intelligence agencies have acknowledged that they obtain data from brokers that historically would only have been available with a warrant. 

404Media   |    Datatilsynet   |    NRK   |  Record   |      

Image: Ideogram

You Might Also Read:  

A Guide to Understanding Market-Leading Data Storage Solutions:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« EU Wants To Strengthen Cyber Defense In Healthcare  
Remote Deletion Of Malware Enforced On Thousands Of Computers  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Biscom

Biscom

Biscom offers solutions for secure file transfer, synchronization, file translation, and mobile devices, designed to deliver mission-critical reliability, streamline workflows and reduce costs.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

Centre for the Protection of National Infrastructure (CPNI)

Centre for the Protection of National Infrastructure (CPNI)

CPNI works with the National Cyber Security Centre (NCSC), Cabinet Office and lead Government departments and agencies to drive forward the UK's cyber security programme to counter cyber threats.

Galvanize

Galvanize

Galvanize is a leading provider of award-winning, cloud-based security, risk management, compliance, and audit software for some of the world’s largest organizations.

Security & Intelligence Agency (SOA) - Croatia

Security & Intelligence Agency (SOA) - Croatia

SOA is the Croatian security and intelligence service. Areas of activity include Cyber Security and Information Security.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

DAkkS

DAkkS

DAkkS is the national accreditation body for Germany. The directory of members provides details of organisations offering certification services for ISO 27001.

Focal Point

Focal Point

We aspire to be the focal point for Medium and Small size companies providing 24/7 cyber security advice, services and solutions.

Lattice Semiconductor

Lattice Semiconductor

Lattice Semiconductor solves customer problems across the network, from the Edge to the Cloud, in the growing communications, computing, industrial, automotive and consumer markets.

Eastern Cyber Resilience Centre (ECRC)

Eastern Cyber Resilience Centre (ECRC)

The Eastern Cyber Resilience Centre is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

Valtix

Valtix

Valtix is the first and only multi-cloud network security platform delivered as a service that enables cloud teams to meet the most stringent security requirements in a cloud-first & simple way.

Evo Security

Evo Security

Evo Security is an Identity and Access Management company focused exclusively on serving MSPs, MSSPs and their SMB and Mid-Market customers.

Sinergi Digital

Sinergi Digital

Sinergi Digital is a business unit of the Metrodata Group with a focus on providing ICT solution to help accelerating digital transformation.

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (formerly SecurityMadeIn.lu) is the backbone of leading-edge cyber resilience in Luxembourg.