A major data breach at location data broker Gravy Analytics has exposed sensitive smartphone tracking data, marking the latest incident in an industry facing increasing regulatory scrutiny. The breach comes as data brokers face mounting pressure from federal regulators over their data collection and sharing practices.
Gravy Analytics reported a breach to Norwegian authorities after a hacker accessed their Amazon Web Services (AWS) cloud storage through a misappropriated access key. The compromised data includes historical location information for millions of smartphone users, collected from thousands of apps including Tinder, Grindr, Candy Crush, and various religious and pregnancy tracking applications. The breach was discovered when the hacker notified Gravy Analytics on January 4, 2025. The incident highlights ongoing concerns about cloud security practices, particularly regarding access key management.
The incident occurs as Gravy Analytics and its subsidiary Venntel face Federal Trade Commission (FTC) scrutiny. In December 2024, the FTC determined that both companies violated the FTC Act by selling non-anonymized consumer location data without proper user consent for both commercial and government purposes. The ruling follows a pattern of increased federal oversight of location data practices, similar to recent investigations into other tech companies’ data handling procedures.
A separate investigation has revealed the scale of location tracking through advertising networks. A dataset obtained from US data broker Datastream Group (now Datasys) shows approximately 40,000 apps participating in location data trading, encompassing 47 million Mobile Advertising IDs and 380 million location data points from 137 countries. The data collection occurs through Real Time Bidding (RTB), an advertising auction system where apps and websites transmit user data to numerous companies.
“This is contrary to everything that the average users of apps would expect – to be able to track where they have been for months afterwards,” said Bavarian Data Protection Commissioner Michael Will. “The data broker should not have had this data. This is beyond the agreed rules of the game.”
The Consumer Financial Protection Bureau (CFPB) has proposed new regulations that would classify data brokers as “consumer reporting agencies,” subjecting them to stricter standards under the Fair Credit Reporting Act (FCRA). The move aims to enhance accountability in the handling of sensitive personal and financial information, particularly as digital identity verification becomes increasingly crucial in financial services.
“The current findings show and confirm once again that the global online advertising market has escaped any control,” said Michaela Schröder from the Federation of German Consumer Organizations (vzbv). “Unscrupulous data traders collect and disseminate highly sensitive information about people, while websites and apps make these illegal practices possible.”
The German Federal Ministry for Consumer Protection advocates for EU-wide protection against personalized advertising and technical standards to prevent devices from collecting identifying data, supporting broader international efforts to regulate digital privacy and data collection practices.
Sources: The Record, Law.com, Netzpolitik
Follow Us