Risky Bulletin Podcast Summary: "Sponsored: Why Hacked Geolocation Data Is Worrying"
Release Date: March 30, 2025
Hosted by: Tom Muren
Guest: Ed Curry, Associate Managing Director, Croll Cyber and Data Resilience
Introduction
In this insightful episode of Risky Bulletin, host Tom Muren engages in a compelling discussion with Ed Curry, Associate Managing Director in Croll’s Cyber and Data Resilience area. The focus of their conversation centers on the recent hack of Gravy Analytics, a leading provider of geolocation data, exploring the implications and dangers associated with compromised geolocation information.
The Gravy Analytics Hack
The episode kicks off with Tom introducing the incident involving Gravy Analytics, a company renowned for aggregating and selling geolocation data to businesses for marketing and advertising purposes. Tom Muren asks:
“[00:14] I'm well. Ed is the associate managing director in CRO's cyber and data resilience area. And today we're going to talk about packs of geolocation data. So there has been relatively recently a hack of Gravy analytics, which is a company that gathers geolocation data and resells it to business for marketing and stuff like that. So what happened and what makes you worry about that kind of hack? Yeah, let's go from there.”
Ed Curry responds by emphasizing the pervasiveness of data breaches but underscores the unique risks posed by the theft of geolocation data:
“[00:43] Yeah, that's, that's a good question. So as you mentioned, like, why this particular hack? Because there's hacks and network intrusion and data breaches, they're happening all around us. But when you couple it with a number of other things that are happening in the world...”
Risks of Hacked Geolocation Data
Ed elaborates on why the Gravy Analytics breach is particularly concerning. Unlike generic data breaches, the compromise of geolocation data intersects with various global events and increases the vulnerability of individuals and corporations alike. He highlights potential malicious uses, including:
- Swatting and Harassment: Personal location data can lead to swatting incidents or targeted harassment.
- Targeted Attacks: For example, using geolocation data to identify and target executives or high-profile individuals.
Misconceptions About Anonymized Data
A significant portion of the discussion addresses the misconception that anonymized geolocation data is harmless. Tom Muren challenges this notion:
“[02:02] A: Yeah, yeah, yeah. So I'm interested in geolocation data because it seems like a very powerful. Well, it is very powerful in terms of finding out about particular people. And to me it seems like there's this myth that because it's theoretically anonymized, everything's good. Good. But that is a myth, right? Like, even though it's theoretically anonymized, you can still find individuals and for lack of a better term, hunt them down.”
Ed Curry concurs, emphasizing that even anonymized data can be de-anonymized with sufficient effort and context:
“[02:27] B: Yes, that's correct. One of the things that we saw on a really broad scale from the Ukraine, Russia conflict...”
Real-World Implications and Examples
Ed provides real-world examples to illustrate the dangers of compromised geolocation data. He references the Ukraine-Russia conflict, where geolocation information was exploited to target mobile devices of soldiers, showcasing the data's potential use in high-stakes environments.
Furthermore, Tom shares an instance involving a Catholic priest identified through geolocation data obtained from Grindr, highlighting personal privacy invasions:
“[04:13] A: ...the data they bought was Grindr data. That's the only time I can think of where someone has taken geolocation data and used it deliberately to identify someone. And I'm sure it must go on more than this, but do you have thoughts why that kind of malicious abuse doesn't appear to be more common?”
Potential Misuses by Threat Actors
When pressed about the motivations and capabilities required to misuse geolocation data, Ed explains that while such abuses are not ubiquitous, they are highly impactful when they occur. He categorizes potential misuses as follows:
- Phishing Attacks: Crafting believable phishing messages based on known locations and habits of targets.
- Business Email Compromise (BEC): Using geolocation data to impersonate trusted contacts or institutions convincingly.
- Social Engineering: Gaining insights into an individual’s routines to manipulate them effectively.
Ed provides a vivid example:
“[06:19] A: Right, right, right. Yeah. I guess if you say I met you at a certain location even though you weren't there, but you know, it adds sort of credibility if you know where they've been for whatever reason.”
Current Trends in Cyberattacks Using Geolocation Data
While direct utilization of geolocation data in phishing may not be widespread yet, Ed notes a discernible trend towards more personalized and sophisticated cyberattacks:
“[06:56] B: We don't, haven't made the connection of like geolocation information being utilized for phishing attacks, but we have seen where threat actors have used all available information to improve their messaging. So years ago we used to see like phishing messages with a lot of grammatical errors..."
This evolution signifies a shift from generic attacks to more targeted and convincing ones, leveraging any available data to increase success rates.
Protecting Against Geolocation Data Exploitation
Addressing the pressing question of protection, Ed advocates for heightened awareness and proactive security measures. He advises:
- Enhanced Phone Security: Implementing robust security protocols on mobile devices.
- Privacy Settings: Regularly updating and tightening privacy configurations to limit data exposure.
- Network Security: Strengthening network defenses to prevent unauthorized access.
Ed underscores the importance of actionable intelligence, ensuring that listeners can translate awareness into tangible security improvements:
“[08:08] B: Yeah, we don't want to necessarily want to make people paranoid but aware of the risks that are out there...”
Additionally, he references the Gravy Analytics report, which detailed how high-profile individuals like Mark Zuckerberg and Elon Musk had their private jet movements tracked, stressing the real dangers faced by even the most prominent figures.
Conclusion
The episode concludes with Tom Muren expressing gratitude to Ed Curry for shedding light on the multifaceted risks associated with hacked geolocation data. The discussion underscores the necessity for both individuals and organizations to recognize the vulnerabilities posed by such data breaches and to implement comprehensive security strategies to mitigate potential threats.
“[09:14] B: Great, thank you, Tom.”
Key Takeaways:
- Geolocation Data is Highly Sensitive: Even when anonymized, it can be pieced together to identify and target individuals.
- Malicious Uses are Diverse: From swatting to sophisticated phishing attacks, the potential for abuse is significant.
- Evolving Cyber Threats: Cybercriminals are increasingly leveraging diverse data types to enhance the effectiveness of their attacks.
- Proactive Measures are Essential: Awareness and the implementation of robust security measures can help protect against the exploitation of geolocation data.
This episode serves as a crucial reminder of the evolving cybersecurity landscape and the imperative to safeguard geolocation information against malicious actors.