Cyber Bulletin
A different kind of security risk.
View in browser
Bloomberg

Cyber Bulletin is exclusively for Bloomberg.com subscribers. As a loyal reader, you’re receiving a complimentary trial. If you’d like to continue receiving Cyber Bulletin, and gain unlimited digital access to all of Bloomberg.com, we invite you to subscribe now at the special rate of $129 for your first year (usually $299).

Hi, it’s Ryan. An important update about the sale of Americans’ location data. But first…

Must Reads:

The Cyber Angle

The Federal Trade Commission this week banned two US location-tracking companies from selling sensitive data gathered from mobile phones.

The FTC accused Gravy Analytics and its subsidiary Venntel of unlawfully monitoring people without their consent as they visited health facilities and places of worship.

In an order finalized Monday, the FTC said the companies must within 90 days stop selling location data that tracks people in the US as they are visiting “sensitive” places.  The agency’s definition of sensitive location data also includes military installations, labor union offices and correctional facilities, among others. 

The companies can still provide the data to aid law enforcement agencies’ investigations, such as in cases involving national security, according to the FTC’s order.

The FTC’s move came just days after Gravy Analytics suffered a hack, which resulted in a user on a Russian-language cybercrime website publishing a trove of its internal files, according to media reports

Representatives from Gravy Analytics and Venntel didn’t immediately respond to requests for comment on the FTC order or the cyberattack.

The data contained a sample of more than 30 million location records showing people’s movements in towns and cities in dozens of countries, according to information provided to me by a security researcher. They are potentially highly revealing, for instance, showing individuals who visit sensitive military and intelligence facilities in North America and Europe, according to my own review and security experts’ analysis

“This breach represents one of the most concerning data leaks imaginable,” said Alon Gal, co-founder of cybersecurity firm Hudson Rock. The records could be used to trace the movement history of individuals over several years, Gal added, potentially compromising the safety of undercover agents.

Such information can be bought and sold on advertising marketplaces with little oversight or regulation, and later repurposed for a wide range of purposes, including espionage, as Bloomberg News has previously reported.

Gravy Analytics and Venntel were acquired last year by Virginia-based location intelligence firm Unacast, founded in 2015 by two Norwegian entrepreneurs.

According to the FTC, Gravy Analytics and Venntel obtained billions of location data records every day from a variety of sources – other data brokers, the mobile advertising marketplace, and applications that harvest people’s location information from their phones and resell it.

Among the hacked documents is a list of more than 13,000 apps that appear to have been sources of location data for Gravy Analytics, including popular dating, weather and shopping apps.

 “It should now be inescapably clear,” said Johnny Ryan, a director at the Irish Council for Civil Liberties, “that this is a privacy crisis and a serious national security vulnerability.”

What We Learned This Week

The Facebook Inc. WhatsApp logo on a smartphone. Photographer: Gabby Jones/Bloomberg

A hacking group linked to Russia’s government tried stealing WhatsApp data of employees at non-governmental organizations offering assistance to Ukraine, according to Microsoft.

Attackers associated with Russia’s Federal Security Service, or FSB, sent emails to specific targets asking them to join WhatsApp groups, Microsoft researchers said in a blog post Thursday. The phishing messages often appeared to be from a US government official and contained a QR code that purportedly would provide details about initiatives meant to support Ukraine in its ongoing war against Russia. Microsoft didn’t say whether any of the attempted intrusions resulted in successful breaches.

The cyberattacks were linked to Star Blizzard, a state-backed hacking group, according to Microsoft. The US Justice Department has seized or taken down 180 websites associated with the group since October with the help of Microsoft, the company said. 

A WhatsApp spokesperson said the company protects personal conversations with end-to-end encryption, and encouraged users only to click on links from people they know and trust. The Russian Embassy in Washington didn’t respond to a request for comment. -- Margi Murphy

What We’re Reading

Gone Phishing

Got a News Tip?
You can reach Ryan Gallagher at rgallagher76@bloomberg.net. You can also send us files safely and anonymously using our SecureDrop.

More from Bloomberg

Get Tech In Depth and more Bloomberg Tech newsletters in your inbox:

  • Game On for diving deep inside the video game business
  • Power On for Apple scoops, consumer tech news and more
  • Screentime for a front-row seat to the collision of Hollywood and Silicon Valley
  • Soundbite for reporting on podcasting, the music industry and audio trends
  • Q&AI for answers to all your questions about AI
Follow Us
You received this message because you are subscribed to Bloomberg's Cyber Bulletin newsletter. If a friend forwarded you this message, sign up here to get it in your inbox.
Unsubscribe
Bloomberg.com
Contact Us
Bloomberg L.P.
731 Lexington Avenue,
New York, NY 10022
Ads Powered By Liveintent Ad Choices