Post-Investigation Supplemental Statement Re: LocationSmart Hack
"Within 24 hours of learning that a PhD cybersecurity researcher had exploited a vulnerability in an online demo (aka "the LocationSmart hack"), LocationSmart eliminated the vulnerability and shut down the demo. As reported, the researcher accessed location for devices belonging to several collaborators who had all agreed to participate in the exploit. A forensic investigation conducted by a national cybersecurity research firm found no evidence of a data breach nor that any end user data was accessed without their consent. Additionally, LocationSmart discontinued the location services targeted by the demo exploit ("the LocationSmart hack") in 2019. LocationSmart has always taken end user privacy seriously and was grateful that it was able to quickly identify and eliminate the vulnerability and further strengthen its data protections as a result."
Original Statement Re: LocationSmart Hack - May 18, 2018
"LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent. LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."
LocationSmart is the worldwide Cloud Location Services market leader for connected devices. We provide the easiest and most comprehensive cross-carrier platform for local, hyper-local and context-aware application development. Our core location services span indoor and outdoor use across devices, platforms and carrier networks. Powering innovative solutions for Fortune 500 customers and start-ups alike, LocationSmart is changing the ways companies do business. We deliver the broadest reach and largest global footprint, with an extensive portfolio of privacy consent methods for easy end-user adoption. For more information, please visit www.locationsmart.com.