Gravy Analytics, a prominent player in location-based data intelligence and the parent company of Venntel, announced it has been the victim of a massive cyberattack. Hackers have claimed to exfiltrate 17 terabytes of sensitive data, exposing not only the vulnerabilities within the company’s cybersecurity infrastructure but also the risks posed to individual privacy and corporate integrity.

The Breach: What Happened?

The breach, announced on January 7, 2025, was perpetrated by hackers who gained access to Gravy Analytics’ systems, including purported root access to its servers and control over Amazon S3 buckets used for large-scale sensitive data storage. The attackers, who disclosed their claims on the XSS cybercrime forum, reportedly stole extensive datasets containing:

• Historical smartphone location data, including precise GPS coordinates, timestamps, and movement patterns.
• Customer lists featuring major well-known corporations.
• Movement classifications (e.g., "LIKELY_DRIVING") and sensitive intelligence related to individual behaviors and routines.

The hackers shared a 1.4GB sample of the stolen data and issued a 24-hour ultimatum, threatening to publish the data unless their demands are met. As of now, Gravy Analytics’ website remains offline.

Impacts on Victims

Gravy Analytics’ business model involves collecting and analyzing anonymized location data from mobile devices to provide insights for businesses and government agencies. This breach has raised concerns about the safety of:

• Individual Privacy: The leaked data could enable the identification of individuals, revealing sensitive personal information such as health-related visits, religious affiliations, political activities, and sexual orientation.
• Corporate Clients: Major corporations that partner with Gravy Analytics could face reputational damage and legal risks if their data is found in the stolen datasets.
• Government Agencies: Gravy’s subsidiary, Venntel, has sold location data to U.S. Government agencies like the Department of Homeland Security, Internal Revenue Service, and FBI. The exposure of these relationships could compromise national security initiatives.

Implications for Data Brokers

The breach highlights the inherent risks in the location data industry. Experts warn that stolen bulk location data could be exploited for tracking journalists, activists, and other high-risk individuals, as well as for discriminatory purposes. The breach has also drawn attention to the ethical concerns surrounding the collection and commercialization of location data without proper user consent.

This is the second major setback for Gravy Analytics in the last several months. In December 2024, the Federal Trade Commission (FTC) announced an enforcement action against Gravy Analytics and Venntel, accusing them of violating consumer privacy laws by collecting and selling sensitive location data without obtaining verifiable consent. This incident underscores a trend towards stricter regulations and robust cybersecurity measures across the data brokerage industry.

Hijacking Popular Apps for Location Data Exploitation

In addition to the massive data breach, reports concerning the manner in which data involved in the Gravy Analytics hack was collected by Gravy Analytics sheds light on a growing concern in the ad tech industry: the exploitation of real-time bid streams to extract user location data from popular apps. Included in the hacked files was location data from popular applications, likely unbeknownst to users and the app developers themselves.

Real-Time Bid Stream Exploitation

Ad tech companies utilize real-time bidding (RTB) to display targeted ads to users. This process involves sharing granular user data, including location, with potential advertisers. However, data brokers and other third parties have exploited this system to collect and resell sensitive location data at scale. Apps with large user bases are particularly vulnerable due to the high volume of data transmitted during RTB processes.

Privacy and Security Implications

The misuse of real-time bid streams exacerbates the risks highlighted by the Gravy Analytics breach:

• Anonymity Risks: Even ostensibly anonymized data can be re-identified when combined with other datasets, exposing individual habits and sensitive information.
• Broader Surveillance Threats: The ability to track individuals in real-time poses dangers to journalists, activists, and high-risk individuals who may be targeted based on their movements, particularly when the buyers of this sensitive information may include government entities.

The Importance of Data Minimization

The Gravy Analytics breach highlights the critical role of data minimization, a principle embedded in most state privacy laws. This principle mandates businesses to collect, use, and retain only the data necessary for specific purposes, thereby reducing risks in the event of a breach.

Had the apps the Gravy Analytics harvested location data from implemented robust data minimization practices, the volume and sensitivity of exposed data could have been significantly reduced, limiting harm to individuals and businesses. Some of the enhanced data minimization laws in newer state laws may have forced Gravy Analytics to refrain from certain types of data collection practices. 

Lessons for Businesses

The Gravy Analytics breach serves as a reminder for companies about the importance of cybersecurity and ethical data handling practices. Key takeaways include:

• Incident Response Plans: Prepare for breaches by developing a comprehensive incident response plan, including communication strategies to inform stakeholders promptly and transparently, and tabletop exercises to prepare for emergencies. Law firms and cybersecurity firms are instrumental in developing and drafting such incident response plans.
• Enhanced Cybersecurity Measures: Companies must prioritize robust cybersecurity infrastructure, including regular audits, penetration testing, and real-time monitoring of potential threats. Laws in numerous states, including New York and California, focus not just on privacy or breach notification, but on substantive cybersecurity requirements.
• Data Minimization: Collect only the data that is necessary and ensure proper anonymization techniques to protect user privacy.
  • Nearly every state’s privacy law includes a data minimization requirement.
• Regulatory Compliance: Twenty states (and counting) have passed comprehensive privacy laws, which introduce many requirements, from new rights for consumers, to data security requirements, to contracting requirements for businesses and their processors and vendors (e.g., data processing addenda or “DPAs”). The legal complexity and regulatory scrutiny in this space continues to grow, meaning companies must proactively address privacy concerns in an ongoing manner – not just post a privacy policy. 

And, data brokers of all types – not just location data brokers – should review their activities with legal counsel and ensure they are complying with data broker laws throughout the United States. Currently, California, Oregon, Texas, and Vermont have data broker-specific laws, which require registration and payment of annual fees. Moreover, the California Privacy Protection Agency (CPPA) recently broadened the definition of “data broker” such that it may include categories of businesses not traditionally thought of as data brokers, such as advertising agencies and other entities in the adtech space.