Sponsored: Why hacked geolocation data is worrying - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary: "Sponsored: Why Hacked Geolocation Data Is Worrying"

Release Date: March 30, 2025
Hosted by: Tom Muren
Guest: Ed Curry, Associate Managing Director, Croll Cyber and Data Resilience

Introduction

In this insightful episode of Risky Bulletin, host Tom Muren engages in a compelling discussion with Ed Curry, Associate Managing Director in Croll’s Cyber and Data Resilience area. The focus of their conversation centers on the recent hack of Gravy Analytics, a leading provider of geolocation data, exploring the implications and dangers associated with compromised geolocation information.

The Gravy Analytics Hack

The episode kicks off with Tom introducing the incident involving Gravy Analytics, a company renowned for aggregating and selling geolocation data to businesses for marketing and advertising purposes. Tom Muren asks:

“[00:14] I'm well. Ed is the associate managing director in CRO's cyber and data resilience area. And today we're going to talk about packs of geolocation data. So there has been relatively recently a hack of Gravy analytics, which is a company that gathers geolocation data and resells it to business for marketing and stuff like that. So what happened and what makes you worry about that kind of hack? Yeah, let's go from there.”

Ed Curry responds by emphasizing the pervasiveness of data breaches but underscores the unique risks posed by the theft of geolocation data:

“[00:43] Yeah, that's, that's a good question. So as you mentioned, like, why this particular hack? Because there's hacks and network intrusion and data breaches, they're happening all around us. But when you couple it with a number of other things that are happening in the world...”

Risks of Hacked Geolocation Data

Ed elaborates on why the Gravy Analytics breach is particularly concerning. Unlike generic data breaches, the compromise of geolocation data intersects with various global events and increases the vulnerability of individuals and corporations alike. He highlights potential malicious uses, including:

Swatting and Harassment: Personal location data can lead to swatting incidents or targeted harassment.
Targeted Attacks: For example, using geolocation data to identify and target executives or high-profile individuals.

Misconceptions About Anonymized Data

A significant portion of the discussion addresses the misconception that anonymized geolocation data is harmless. Tom Muren challenges this notion:

“[02:02] A: Yeah, yeah, yeah. So I'm interested in geolocation data because it seems like a very powerful. Well, it is very powerful in terms of finding out about particular people. And to me it seems like there's this myth that because it's theoretically anonymized, everything's good. Good. But that is a myth, right? Like, even though it's theoretically anonymized, you can still find individuals and for lack of a better term, hunt them down.”

Ed Curry concurs, emphasizing that even anonymized data can be de-anonymized with sufficient effort and context:

“[02:27] B: Yes, that's correct. One of the things that we saw on a really broad scale from the Ukraine, Russia conflict...”

Real-World Implications and Examples

Ed provides real-world examples to illustrate the dangers of compromised geolocation data. He references the Ukraine-Russia conflict, where geolocation information was exploited to target mobile devices of soldiers, showcasing the data's potential use in high-stakes environments.

Furthermore, Tom shares an instance involving a Catholic priest identified through geolocation data obtained from Grindr, highlighting personal privacy invasions:

“[04:13] A: ...the data they bought was Grindr data. That's the only time I can think of where someone has taken geolocation data and used it deliberately to identify someone. And I'm sure it must go on more than this, but do you have thoughts why that kind of malicious abuse doesn't appear to be more common?”

Potential Misuses by Threat Actors

When pressed about the motivations and capabilities required to misuse geolocation data, Ed explains that while such abuses are not ubiquitous, they are highly impactful when they occur. He categorizes potential misuses as follows:

Phishing Attacks: Crafting believable phishing messages based on known locations and habits of targets.
Business Email Compromise (BEC): Using geolocation data to impersonate trusted contacts or institutions convincingly.
Social Engineering: Gaining insights into an individual’s routines to manipulate them effectively.

Ed provides a vivid example:

“[06:19] A: Right, right, right. Yeah. I guess if you say I met you at a certain location even though you weren't there, but you know, it adds sort of credibility if you know where they've been for whatever reason.”

Current Trends in Cyberattacks Using Geolocation Data

While direct utilization of geolocation data in phishing may not be widespread yet, Ed notes a discernible trend towards more personalized and sophisticated cyberattacks:

“[06:56] B: We don't, haven't made the connection of like geolocation information being utilized for phishing attacks, but we have seen where threat actors have used all available information to improve their messaging. So years ago we used to see like phishing messages with a lot of grammatical errors..."

This evolution signifies a shift from generic attacks to more targeted and convincing ones, leveraging any available data to increase success rates.

Protecting Against Geolocation Data Exploitation

Addressing the pressing question of protection, Ed advocates for heightened awareness and proactive security measures. He advises:

Enhanced Phone Security: Implementing robust security protocols on mobile devices.
Privacy Settings: Regularly updating and tightening privacy configurations to limit data exposure.
Network Security: Strengthening network defenses to prevent unauthorized access.

Ed underscores the importance of actionable intelligence, ensuring that listeners can translate awareness into tangible security improvements:

“[08:08] B: Yeah, we don't want to necessarily want to make people paranoid but aware of the risks that are out there...”

Additionally, he references the Gravy Analytics report, which detailed how high-profile individuals like Mark Zuckerberg and Elon Musk had their private jet movements tracked, stressing the real dangers faced by even the most prominent figures.

Conclusion

The episode concludes with Tom Muren expressing gratitude to Ed Curry for shedding light on the multifaceted risks associated with hacked geolocation data. The discussion underscores the necessity for both individuals and organizations to recognize the vulnerabilities posed by such data breaches and to implement comprehensive security strategies to mitigate potential threats.

“[09:14] B: Great, thank you, Tom.”

Key Takeaways:

Geolocation Data is Highly Sensitive: Even when anonymized, it can be pieced together to identify and target individuals.
Malicious Uses are Diverse: From swatting to sophisticated phishing attacks, the potential for abuse is significant.
Evolving Cyber Threats: Cybercriminals are increasingly leveraging diverse data types to enhance the effectiveness of their attacks.
Proactive Measures are Essential: Awareness and the implementation of robust security measures can help protect against the exploitation of geolocation data.

This episode serves as a crucial reminder of the evolving cybersecurity landscape and the imperative to safeguard geolocation information against malicious actors.

Loading summary

Transcript22 lines

[00:04]
A
Hello everyone, this is Tom Muren. I'm here with another Whisky Business News sponsor interview. Today I have with me Ed Curry from Croll. G'day, Ed, how are you?
[00:13]
B
Good day, how are you?
[00:15]
A
I'm well. Ed is the associate managing director in CRO's cyber and data resilience area. And today we're going to talk about packs of geolocation data. So there has been relatively recently a hack of Gravy analytics, which is a company that gathers geolocation data and resells it to business for marketing and stuff like that. So what happened and what makes you worry about that kind of hack? Yeah, let's go from there.
[00:43]
B
Yeah, that's, that's a good question. So as you mentioned, like, why this particular hack? Because there's hacks and network intrusion and data breaches, they're happening all around us. But when you couple it with a number of other things that are happening in the world, such as the UnitedHealthcare CEO shooting, you know, there are businesses that are out there that are very interested in looking to see if the extensiveness of their security measures that they do take to protect their companies and protect their executives. So when you see something like Gravy analytics, which as you mentioned, is one of the largest providers of real world location intelligence that they've, you know, used to sell to other businesses and marketing services and advertising services, and you see like that data that has been compromised, people should be aware, especially those who are looking to reevaluate how much security they have and how they, how exposed they are. This is a vector in which, you know, it's not readily available. You could buy it from marketing, you can buy this type of data, but threat actors could potentially use this for ill intentions. It doesn't necessarily have to be like a shooting on the streets of New York City, but it could also lead to some other things like pranking or even like something like swatting is also like a common thing. Especially if it's information like this, geolocation information that leads to somebody's home.
[02:02]
A
Yeah, yeah, yeah. So I'm interested in geolocation data because it seems like a very powerful. Well, it is very powerful in terms of finding out about particular people. And to me it seems like there's this myth that because it's theoretically anonymized, everything's good. Good. But that is a myth, right? Like, even though it's theoretically anonymized, you can still find individuals and for lack of a better term, hunt them down.
[02:27]
B
Yes, that's correct. One of the things that we saw on a really broad scale from the Ukraine, Russia conflict, even where you're seeing that the Russians are moved from critical infrastructure targeting to actually targeting mobile devices of soldiers, particularly like their apps, and then using that as targeting information for the weapon systems. Yeah.
[02:50]
A
So you said the data from Gravy analytics ended up on the dark web. Did you say that there was a ransom attached to it and what happened to that data?
[02:59]
B
Right, so our investigation showed that there was like the event went over several days. So the first day it was where the threat actor posted that he had stolen this data, and then there was another day where he provided samples of that data, and then he end up later posting a ransom for that data to Gravy analytics the following day. Of that, we saw the posts go down for ransom and no longer was the data available. We were assuming that Gravy analytics paid the ransom and was able to get their data back.
[03:34]
A
Right, right, right. To me, that's interesting because you would think that if you really believe the marketing guff, that data's harmless because it's been anonymized. And so therefore why would the company, why wouldn't you pay to take it down?
[03:46]
B
Yeah, I've had experience, over 15 years experience dealing with cyber criminals, transnational organized cyber criminals, and you'd be surprised what information they can turn into something that's profitable. You know, it's no longer just the financial sector, which is what people used to think is like for the profit driven cyber criminals, but now it's like all sectors because they're able to manipulate the hacks and the data that they have into something profitable to put money in their pockets.
[04:14]
A
Now, two or three years ago, I wrote a story about a Catholic priest and he was outed by a Catholic publication on Substack, and they bought geolocation data and they tracked this priest and identified him based on where he was living and the places he was going to. And I think the data they bought was Grindr data. That's the only time I can think of where someone has taken geolocation data and used it deliberately to identify someone. And I'm sure it must go on more than this, but do you have thoughts why that kind of malicious abuse doesn't appear to be more common?
[04:54]
B
Yeah, that's a really good question. So I think it's based off of motivation and capability and person skill set. So if it's something like geolocation data that is then something that is like very easy to get, very easy to understand, and then you would also have to have somebody motivated enough to know, how can I use this to gain my ultimate outcome? I think that a lot of that is because you have to have like pretty much a malicious mind and a pretty motivated intent to use this type of data.
[05:29]
A
I guess to turn this around, I'll ask you, Ed, to put on your malicious threat actor hat. I asked you before why it's less common. But from your perspective and with your experience, is this the sort of data that you would look at if you wanted to try and target someone?
[05:47]
B
Oh, yes. It could be like used for phishing attacks or business email compromise attacks. Could also be used for social engineering as well to kind of vector you into like what your habits are and where you go. So like, especially like in phishing attacks, if you, if someone's geolocation data is available and you see that the persons like routinely goes to a particular coffee shop or a particular store, and then you can kind of like shape a fictitious email to somebody by knowing all that information.
[06:20]
A
Right, right, right. Yeah. I guess if you say I met you at a certain location even though you weren't there, but you know, it adds sort of credibility if you know where they've been for whatever reason.
[06:30]
B
Exactly. Or even saying, you know, if it's like Joe's Coffee Shop. Hey, this is, you know, Joe from Joe's Coffee Shop. We see that you visit here all the time, click on this link for coupons, and then you click on a link and it directs you to a malicious site. And now you've downloaded some kind of malware or ransomware.
[06:49]
A
So are you seeing those kinds of attacks right now or do you think that is an attack that will happen in the future?
[06:56]
B
We don't, haven't made the connection of like geolocation information being utilized for phishing attacks, but we have seen where threat actors have used all available information to improve their messaging. So years ago we used to see like phishing messages with a lot of grammatical errors, that type of thing. But now these days, or even something random as far as like the messaging and who they're purporting themselves to be with this type of information. And what we've seen like in the in attacks, they, the messaging is much more clear, it's much more customized for the victim because of geolocation information of understanding what the person's habits are is then revealed in those emails.
[07:44]
A
Yeah. Now what are you doing in terms of trying to protect people? Are you looking at that kind of data and saying to, I don't know Mark Zuckerberg or someone like you need to look at your personal security or your presence of life is out there and therefore maybe you need to change things. What's the sort of implication for the people whose data is in those types of data sets?
[08:09]
B
Yeah, we don't want to necessarily want to make people paranoid but aware of the risks that are out there. We don't want to give necessarily information just for the sake of information, but we want it to be actionable. So what is it that somebody can when they hear a story like this, like gravy analytics, geolocation information being stolen and being sold on the deep dark web, what can they do about it? Maybe it's security measures that they can take on their phone, the privacy settings that they can put on their phone, the way they secure their network, those type of things. And it's funny that you bring up Mark Zuckerberg because that is actually one of the examples in the gravy analytics report that came out was the US Federal air tracking. There was like high profile individuals where their private planes were being tracked through a particular app, like an exchange app to track airplanes. And Mark Zuckerberg and Elon Musk were both being victimized, their movements of their private jets being tracked.
[09:06]
A
Okay, Ed Curry, associate managing director in Crawl cyber and data resilience business, thank you very much for an interesting discussion.
[09:14]
B
Great, thank you, Tom.