Open main menu
HomeAboutContact

Gravy Analytics: How a Compliance Mandate Foreshadowed a Privacy Disaster

obfuscated.siteobfuscated.site

ComplianceSecurity

Table of Contents

Do not index
Do not index
notion image

Gravy Analytics: How a Compliance Mandate Foreshadowed a Privacy Disaster

 
In December 2024, the Federal Trade Commission (FTC) took decisive action against data brokers Gravy Analytics and its subsidiary, Venntel. The FTC alleged that these companies unlawfully collected and sold sensitive location data without obtaining consumers' consent, violating the FTC Act. This data included information about individuals' visits to sensitive locations such as healthcare facilities, places of worship, and military installations. The FTC's proposed order prohibited Gravy Analytics and Venntel from selling, disclosing, or using such sensitive location data in any product or service. Additionally, the companies were required to establish a comprehensive sensitive data location program to ensure compliance with privacy regulations. FTC Press Release
Despite this regulatory intervention, Gravy Analytics faced a significant data breach in early January 2025. Unauthorized access to their AWS cloud storage environment led to the exposure of precise location data from millions of mobile devices. Hackers claimed to have obtained 17 terabytes of data, including sensitive information that could potentially identify individuals' movements and locations. The breach was discovered on January 4, and preliminary investigations suggested that some of the stolen files might contain personal data associated with users of third-party services that supply data to Gravy Analytics.
The breach has raised concerns about the privacy implications for users of various mobile applications. While Gravy Analytics collects data through real-time bidding processes in digital advertising, which may involve numerous apps, specific applications potentially affected by this breach include:
  • Candy Crush
  • Tinder
  • MyFitnessPal
  • Grindr
  • Muslim Pro
  • Flightradar24
It is important to note that many of these app developers and their users were likely unaware that such data collection was taking place. The practice raises significant privacy concerns, as it involves the harvesting of sensitive location data without explicit consent.
This incident underscores the critical importance of robust data security measures and compliance with evolving privacy regulations. For IT professionals, it serves as a stark reminder of the potential consequences of inadequate data protection practices and the need for vigilance in safeguarding sensitive information.

Join over 1500+ IT Professionals!

Get exclusive cybersecurity updates, IT guides, and tools straight to your inbox.

Subscribe
obfuscated.site

Written by

obfuscated.site

A decade of experience in system administration, vulnerability management, and digital security.