Location tracking company Unacast has confirmed to the Norwegian government that it was the victim of a significant data breach, according to a notice published by Norwegian public broadcaster NRK on January 11, 2025. The breach, which involved Unacast’s subsidiary Gravy Analytics, has raised serious concerns about the security of sensitive location data collected from millions of individuals worldwide.
Key Details of the Breach
Unauthorized Access to Cloud Storage
Unacast
discovered unauthorized access to its Amazon Web Services (AWS) cloud
storage on January 4, 2025. The breach was reportedly caused by a
“misappropriated” key, which allowed hackers to steal sensitive data.
The company is still investigating the full extent of the breach.
Leaked Data and Potential Impact
The
stolen data includes location information tracking individuals across
30 million locations globally. While the data does not explicitly
identify individuals by name, it uses pseudonyms that can still be
linked to specific people based on their movement patterns. For example,
if a person’s data shows they spend most nights at a particular
address, it is likely their home.
Hacker’s Ransom Demand
A
hacker on a Russian cybercrime forum claimed responsibility for the
breach, posting screenshots and uploading 17 terabytes of data as
evidence. The hacker demanded an unspecified ransom, threatening to
release more data if their demands were not met. The leaked files were
later removed but had already been downloaded and analyzed by
cybersecurity researchers.
Government and Regulatory Response
Notification to Norwegian Authorities
Unacast
notified Norway’s data protection authority, Datatilsynet, about the
breach. The company stated that some of the stolen files “could contain
personal data,” though the exact nature of the data is still under
investigation.
Concerns Over Privacy and Security
Tobias
Judin, a section chief at Datatilsynet, expressed deep concern over the
breach, stating that such data can reveal intimate details about
individuals, including their home addresses, workplaces, and even
personal relationships. He warned that this information could be used
for manipulation, fraud, or blackmail.
Broader Implications
Impact on Individuals
The
breach highlights the risks associated with the collection and sale of
location data. Even without explicit identifiers, location data can be
used to infer sensitive information about individuals, posing
significant privacy risks.
Regulatory and Legal Challenges
The
incident underscores the need for stronger data protection laws,
particularly in the U.S., where there is no comprehensive federal
privacy law. The breach also raises questions about the oversight of
data brokers, who often operate with minimal transparency.
Reputational Damage to Unacast
Unacast
and Gravy Analytics have faced criticism for their data collection
practices. Last month, the Federal Trade Commission (FTC) accused Gravy
of illegally collecting and selling Americans’ location data without
consent. This breach further damages the company’s reputation and raises
concerns about its ability to safeguard sensitive information.
Conclusion
The Unacast data breach is a stark reminder of the vulnerabilities in the data broker industry and the potential consequences of inadequate data security measures. As investigations continue, the incident is likely to fuel calls for stricter regulations and greater accountability for companies that collect and sell personal data.
