Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy

Hackers Claim Massive Breach of Location Data Giant, Threaten To Leak Data (404media.co) 41

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. 404 Media: The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples' precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

Hackers Claim Massive Breach of Location Data Giant, Threaten To Leak Data

Comments Filter:
  • new law needed (Score:5, Insightful)

    by jriding ( 1076733 ) on Tuesday January 07, 2025 @03:45PM (#65070951)

    If you harvest data and sell or make money off of it, and it is breached the C-suite gets 10 years in prison.

    • by Tablizer ( 95088 )

      New "Law" Needed: Cruise Missile up hackers' asses

      • by Anonymous Coward

        Personally, I very much hope the hackers will post this data. Even knowing that my data may be there.

        I think we all need to know just how much data these companies are grabbing and compiling. Perhaps once the invasive nature of this data is exposed, we can finally get some controls on its collection and use.

        It would be interesting to see the location history on public figures as well as the common folk.

    • Balance Needed (Score:5, Interesting)

      by Roger W Moore ( 538166 ) on Tuesday January 07, 2025 @04:03PM (#65071013) Journal
      You need to apply some balance to that. In cases there a company has not followed industry standard security procedures appropriate to the data being stored then sure. But if they have taken appropriate security measures but got hacked by, for example, a state-sponsored group with considerable know-how and resources then even the best security measures are not going to protect your data and it's hard to blame the company for that any more than you would blame a bank for being robbed.

      However, regardless of fault all companies should be held financially liable for the damage caused by any release of any data that they store and perhaps required to carry appropriate liability insurance. That will ensure they have an insurance company breathing down their necks to keep data secure in a way that's probably far more effective and far reaching than any criminal law could ever be.
      • Re:Balance Needed (Score:4, Insightful)

        by Alinabi ( 464689 ) on Tuesday January 07, 2025 @05:51PM (#65071257)
        Requiring that they follow "industry standards" would only encourage the industry to lower its standards bellow rock bottom. How about requiring that they follow standards specified in the law, such as "all internet facing software must be formally verified to be free of defects that would allow privilege escalation or circumvention of access controls", in addition to no liability shielding. Full liability for damages caused by their product should be something that applies to all software companies, just like it does to any other product of human engineering.
        • Requiring that they follow "industry standards" would only encourage the industry to lower its standards bellow rock bottom. How about requiring that they follow standards specified in the law

          The problem with establishing standards in the law is that it is too slow to change to counter emerging threats and computer security can change really quite rapidly. That's why I'd favour requiring data loss insurance. The insurance companies providing the coverage will have a very strong financial motivation to develop and maintain decent security standards and they can update them far more rapidly than any law though perhaps having a law to establish a minimum below which executives can expect to get cr

      • 1. Setting to block location data on a per app basis
        2. Setting to provide generic location data on a per app basks such as always report the phone is in Grand Central Station, New York City
        3. Setting to provide mostly randomized location data limited to a city, state, country or world
        4. Envelope settings to isolate apps by what level of API calls related to location, phone specifics, internet ip address, dns server address, etc., log files, etc.

        All could be implemented at the OS level with configuration in

        • by tlhIngan ( 30335 )

          1. Setting to block location data on a per app basis

          Both iOS and Android support this.

          iOS does prompt you when an app requests location data (or access to a data pool that can contain location data, e.g., photos), and you have the option to grant it, block it, or grant it only when the app is running. Though if you grant it, it apparently resets after 30 days to only when the app is running

    • Better law needed: "Do not collect data that is not necessary. Delete data when it is no longer necessary."

      If it is collected, it will be leaked/stolen/sold and used against us.

    • That sounds like punishing the victim to me. "Your store was broken into by thieves, YOU go to jail!" Yeah, makes a lot of sense.

      • That sounds like punishing the victim to me. "Your store was broken into by thieves, YOU go to jail!" Yeah, makes a lot of sense.

        "Your store was broken into by thieves because you were more interested in your stock price and personal bonuses than adequately protecting the private data you were trusted with. You go to jail."

        There, fixed that for you.

        Not that I realistically expect that to happen, not at least in the next couple of years. But currently C-suites are getting rewarded for cutting security (savings, better bottom line) rather than for investing in it. That's not how it should be, intuitively.

        • Your "fix" doesn't change a thing.

          Let's refine the analogy, making the store a consignment shop. That means that the store is entrusted by many people with items they own and value. The consignment shop owner is only interested in his own profits and personal bonuses, and chooses not to install a strong security system because of the cost. Thieves break in and steal a bunch of the product, own by individuals, that was supposed to be safeguarded by the owner of the shop.

          So, throw the consignment shop owner i

    • Was there not a recent case where Judges said there was no expectation of privacy on the internet - but went banana's when citizens published dossier level details on the Judges in question. Police, Detectives, DPP and Judges are sensitive to being exposed, same for politicians having affairs. What these people are NOT thinking is that 15 years of movement data - a good blackmailer should be able to turn up something embarrassing. They cannot undo this. Once Trump has done all his appointment filling, the
  • by Baron_Yam ( 643147 ) on Tuesday January 07, 2025 @03:54PM (#65070973)

    You could get a lot of blackmail material with some smart analysis - find men and women with the same last name who are together most nights... Then look for hookups and massage parlour visits.

    Or maybe look up crime maps (some police forces publish the data) and find people who seem to be at crime scene more than once. You'll get a list of cops and criminals, and from there where they live and who their friends are. Each list profitable in its own way.

    • by EvilSS ( 557649 )
      Hopefully if it does leak they will target politicians and we might get some laws banning these location broker businesses completely.

      Ah hell, who am I kidding, they will just mandate special opt-outs for themselves and fuck everyone else.
      • by Sloppy ( 14984 )

        Hopefully if it does leak they will target politicians and we might get some laws banning these location broker businesses completely.

        This is the way. The Bork Tapes led to the Video Privacy Protection Act.

        Anyone know what it would cost, to hire Locate X (or something like it) to generate daily reports of the movements of everyone in Congress and SCOTUS?

        • Hopefully if it does leak they will target politicians and we might get some laws banning these location broker businesses completely.

          This is the way. The Bork Tapes led to the Video Privacy Protection Act.

          Anyone know what it would cost, to hire Locate X (or something like it) to generate daily reports of the movements of everyone in Congress and SCOTUS?

          My guess is the Go Fund Me page for that one would make enough to cover it before the government forced it to be shut down.

    • You can also use the data to find gatherings, even underground ones, perhaps send someone as an agent provocateur to stir things up, so a quiet rally turns into a riot.

      Extortion and blackmail definitely come to mind, especially if two people are found to have been in the same room at a hotel at the same time.

      Don't forget physical job interviews. A lot of companies would love to know if someone takes a sick day and is off interviewing at UAC.

      Problem is that if info is gathered, eventually it will be hacked

    • Finally that Jessica Fletcher will be exposed for "coincidentally" being at murder scenes time and time again.

  • That's why GPS is turned off unless I absolutely need it, and my cellphone spends 90% of its time in airplane mode.

    The sumbitches can't lose data they don't have.

    • If you use Android, I believe Google was caught interpreting 'location services off' as 'cache it and do a burst transmission the next time the user turns the service on'.

      • Where would it get location information from with GPS off, wifi off and airplane mode?

        • If you have all those off, it would get nothing from them, of course. But it's a phone, right? You have mobile voice going, and that will produce location results. Usually worse than GPS, definitely garbage in rural areas, but location data nonetheless.

          And since we're talking Android, we're talking smart phones... You're probably going to have the WiFi on at home and at the office at least. That may not be 100% of your time, but it is location data.

          • I keep my phone off on the move. I don't want people calling me when I drive anyway, so what's the point of broadcasting my position.

            I come out of airplane mode when I'm sitting somewhere for some length of time. Then they get my position. So whoever is tracking me only sees only gets discrete points on the map.

            And on the bus or onboard trains, there's free wifi - with VoIP working just fine - so no tracking there. No easy tracking anyway: the point isn't to be untraceable, the point is to make it not cost-

    • ok but how is the mcdonalds app going to know what mcdonalds I am at without GPS?

    • That approach kind of puts a damper on using the cellphone for things like...communication.

    • GPS is just icing on the cake. Any time your phone is (trying) to connect to the cell network, it's giving away its position. So every time you turn off airplane mode, even for just a moment, they've got your position.

      Avoiding the cell network and using Wifi doesn't really help either. However, it's possible that turning off location services *might* stop your phone calling home and giving away your location. I doubt it's as simple as that though - but at least you're spreading your location data around to

  • Data is the new oil, or so they used to say. However, is this hacking pirates seeking quick riches, or is this a psy-op of a nation state seeking to force another to build a wall?

    My first reaction is that these hackers are likely not domestic, the article requires a login and the readable portion without such does not credit a group behind this breach. If the hackers are not domestic, then my next thought is whether there should be an air-gapped solution separating risk sectors? A "Great Firewall" between
  • It should be illegal for companies to collect, store and (ab)use this kind of location data.

    • Why is location data a special category?

      Location data has many legitimate uses, just like any other kind of data. It also has illegitimate uses, just like any other kind of data.

  • They get the location data from apps on your phone that periodically grab all the info they can get their hands on and export it to multiple tracking companies that pay money for it. I know this because it is blocked on my phone and I can see what they want to send and where it would go.

    If you have an Android phone you can prevent the tracking. Install the duckduckgo app, go to settings and turn on application tracking protection. It instantiates a local VPN that filters all the network traffic and blocks t

  • If they got the data they claim to have, they really should publish it at wide.
    It's time to wake up the folks about what the private sector is doing to them.

    Really , as a public service , they should follow in the footsteps of Edward Snowden and publish all they have,

    This is not a joke. Publish.

All life evolves by the differential survival of replicating entities. -- Dawkins

Working...