In recent years, data breaches have become the digital danse macabre. Hackers strike both small businesses and the giant global enterprises alike. No industry is safe from the dark ambitions of digital threat actors. Facebook has recently suffered at their hands, with the profiles of 50 million users exposed due to numerous security bugs. Now Google—more specifically Google+, their own social networking platform—has fallen to the wolves at the door.
Today, Google announced via blog post it will be shutting down Google+ for consumers over the next ten months. The reason: Google failed to publically disclose a security bug affecting hundreds of thousands of user accounts. The bug allowed third-parties access to private data via an API including names, birth dates, email addresses, occupations, gender identities, and profile photos. The number of affected might reach up to 500,000 users. As many as 438 applications may have had access to private data via Google+.
In the blog post Ben Smith, Vice President of Engineering at Google, said: “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
The bug lingered for several years—since 2015— before being discovered March of this year. Internal investigators discovered the issue and patched it, but they did not disclose the breach to the public after its discovery. Smith claimed in his blog post the breach did not warrant public disclosure:
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice. Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response.”
“None of these thresholds were met in this instance.”
However, the Wall Street Journal—who originally broke the story—reported Google was in fact worried about the regulatory consequences of the breach. They provided several internal memos which warned executives of the “immediate regulatory interest” that could result from disclosure. Indeed, the coverup could land them in hot water with regulators (especially GDPR). What fees Google will have to pay remains to be seen.
Editor’s Correction October 9, 2018: Because the breach was patched in March, Google will not be subject to GDPR consequences. They will, however, be liable for other regulatory violations.
Google, along with Facebook and Twitter, tried earlier this year to quell regulators’ fears of data privacy violations and neglect in the wake of the Cambridge Analytica scandal. This breach coverup will further tarnish their arguments for public trust. Google had previously been seen as untouchable—a reminder of just how essential threat detection and incident response is for enterprises of all sizes.