Phone data-leak company: No record of location-data abuse

Associated Press

LocationSmart operates in a little-known business sector that provides data to companies for uses such as tracking employees and texting e-coupons to customers near relevant stores.

Among the customers LocationSmart identifies on its website are the American Automobile Association, FedEx and the insurance carrier Allstate.

The New York Times reported earlier this month a firm called Securus Technologies provided location data on mobile customers to a former Missouri sheriff accused of using the data to track people without a court order.

On Wednesday, Motherboard reported that Securus' servers had been breached by a hacker who stole user data that mostly belonged to law enforcement officials.

Securus may have obtained its location data indirectly from LocationSmart. Securus officials told the office of Sen. Ron Wyden, an Oregon Democrat, that they obtained the data from a company called 3Cinterative, said Wyden spokesman Keith Chu. LocationSmart lists 3Cinteractive among its customers on its website.

Wyden said the LocationSmart and Securus cases underscore the "limitless dangers" Americans face due to the absence of federal regulation on geolocation data.

"A hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child's cellphone to know when they were alone," he said in a statement.

LocationSmart took the flawed webpage offline Thursday, a day after Carnegie Mellon University computer science student Robert Xiao discovered the software bug and notified the company, Xiao told The Associated Press.

The bug "allowed anyone, anywhere in the world, to look up the location of a U.S. cellphone," said Xiao, a doctoral researcher. "I could punch in any 10-digit phone number," he added, "and I could get anyone's location."