FTC Sues Analytics Firm for Selling Users’ Geo-Location Data

Kochava allegedly offers some of the geo-location data for free with minimal safeguards in place.

I’ve been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.

(Credit: Getty Images/Oscar Wong)

The Federal Trade Commission is suing to stop an analytics company from selling geo-location data on over 100 million consumers, including where they live and if they recently visited an abortion clinic.

According (Opens in a new window) to the FTC, an Idaho-based company called Kochava has been collecting the geo-location from other data brokers in the industry and through smartphone apps in an effort to sell the information for marketing and analytics purposes.

Kochava has been selling the information as a data feed (Opens in a new window) covering 125 million monthly active users, and charging thousands of dollars per month for access. The geo-location data can include the precise longitude and latitude of the user’s smartphone, along with timestamps and the IP address. To protect consumers, the company strips out users’ identities from the data and assigns them a mobile advertising ID.

Nevertheless, the FTC says the supposedly anonymized geo-location data can been easily compiled https://jiji.ng/ with other information from third-party sources to pinpoint a user’s identity.

“For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity,” the US regulator says. “In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.”

The same data can also expose sensitive locations a consumer has visited, such as a reproductive health clinic, places of worship, or a domestic violence shelter. “The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services,” the FTC’s lawsuit (Opens in a new window) adds.

On Amazon’s AWS marketplace, Kochava allegedly offered up some of the data at no cost through a free sample, which covered a seven-day rolling period. One day of the sample data could cover 61.8 million unique devices. However, Kochava put minimal safeguards in place to prevent bad actors from accessing the same data; it merely required interested users to fill out a form.

“A purchaser could use an ordinary personal email address and describe the intended use simply as ‘business,’" the FTC’s lawsuit notes. “The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours.”

Samsung Data Breach Ensnares US Customers

In some cases, exposed data includes customer names, contact and demographic info, and dates of birth. Samsung is warning people to be on the lookout for phishing emails.

I’ve been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.

(Photo by Jung Yeon-je /AFP/Getty)

A hacker has infiltrated Samsung’s US systems and may have stolen information on customers.

On Friday, Samsung sent an email alert to affected consumers about the breach, which occurred sometime in late July. “On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected,” the company said.

Details are scant, but the company says that in some cases, the breach may have affected customer information, including “name, contact and demographic information, date of birth, and product registration information.”

“The information affected for each relevant customer may vary. We are notifying customers to make them aware of this matter,” the company adds. Samsung stresses that no Social Security numbers or credit card information was stolen in the hack, nor were any consumer devices.

It’s unclear how many customers were affected. But in an FAQ (Opens in a new window) , Samsung says if you received an email from the company about the breach then you are affected. “Should we determine through our investigation that the incident requires further notification, we will contact you accordingly."

Samsung says it collected the personal information “to help deliver the best experience possible with our products and services.” So the info may come from product and warranty registrations.

Samsung is now warning affected customers to be on guard against phishing emails that ask the user for more personal information. These emails could be used to trick victims into loading malware on their computer or exploited for identity theft purposes.