It’s become evident that LocationSmart failed to take cybersecurity preventive measures while selling the real-time locations of cell phones wholesale. The problem started with a partner of LocationSmart called Securus that runs a business of prison communication.
LocationSmart has allowed Securus to provide mobile device locations in real time to law enforcement and others. The company works by locating the phones by finding a recently connected tower and then tracks their location within seconds as close to about 100 feet. However, a consent is required in order to track the phone.
If the police or the FBI or any other investigators required this kind of information, they need to directly access the network carriers. In order to skip through the paperwork hassle, network carriers allow LocationSmart to access the data and in turn sells it to someone else, like Securus. Securus in turn sells it to law enforcers or anyone who pays for it, without the need for paperwork.
But the catch here is that phone could still be tracked and located using tools from LocationSmart without user consent of carriers. It looks like the company forgot to secure the API and has caused a whole lot of damage.