Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker
Gravy Analytics has been sued yet again for allegedly failing to safeguard its vast stores of personal data, which are now feared stolen. And by personal data we mean information including the locations of tens of millions of smartphones, coordinates of which were ultimately harvested from installed apps.
A complaint [PDF], filed in federal court in northern California yesterday, is at least the fourth such lawsuit against Gravy since January, when an unidentified criminal posted screenshots to XSS, a Russian cybercrime forum, to support claims that 17 TB of records had been pilfered from the American analytics outfit’s AWS S3 storage buckets.
The suit this week alleges that massive archive contains the geo-locations of people’s phones.
Gravy Analytics subsequently confirmed it suffered some kind of data security breach, which was discovered on January 4, 2025, in a non-compliance report [PDF] filed with the Norwegian Data Protection Authority and obtained by Norwegian broadcaster NRK.
Three earlier lawsuits – filed in New Jersey on January 14 and 30, and in Virginia on January 31 in the US – make similar allegations.
Gravy Analytics and its subsidiary Venntel were banned from selling sensitive location data by the FTC in December 2024, under a proposed order [PDF] to resolve the agency’s complaint against the companies that was finalized on January 15, 2025.
The FTC complaint alleged the firms “used geofencing, which creates a virtual geographical boundary, to identify and sell lists of consumers who attended certain events related to medical conditions and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics.”
The US consumer watchdog has also taken action against data sellers Kochava in 2022, and X-Mode, InMarket, and Mobilewalla in 2024. It’s unclear whether the FTC under the Trump administration will continue privacy enforcement with the same vigor given the administration’s efforts to roll back regulation throughout the US government.
According to the latest complaint against the data peddler, “the hacked Gravy Analytics data included tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe, obtained through individuals’ use of major mobile applications such as Tinder, Grindr, Candy Crush, Subway Surfers, Moovit, My Period Calendar & Tracker, MyFitnessPal, Tumblr, Microsoft’s 365 office application, Yahoo’s email client, religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which users generally download, ironically, in an attempt to protect their privacy.”
Tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe, obtained through individuals’ use of major mobile applications
The complaint argues that Gravy, now a subsidiary of Unacast following their merger in 2023, had a duty to protect the data it had collected and stored, citing the harm that arises when stolen data is used for identity theft. It alleges violations of California’s Unfair Competition Law, as well as negligence, breach of implied contract, and unjust enrichment; the US still has no general federal privacy law.
Gravy-Unacast did not respond to a request for comment.
The analytics biz insists in a document [PDF] posted on its website that it does not collect location data directly from apps but instead licenses it from other data providers who have obtained the information from consenting users of mobile apps.
“Importantly, we do not track smartphone user locations, nor collect any location data directly from individuals or from application publishers (smartphone applications),” Gravy says. “The data we use is already commercially available data collected via smartphone apps, purchased at scale by data brokers or aggregators, then licensed to Gravy Analytics and other organizations like ours.” ®
READ MORE HERE