Google Reveals Google+ Data Breach Coverup and Upcoming Shutdown

Google Reveals Google+ Data Breach CoverUp and Upcoming Shutdown

In recent years, data breaches have become the digital danse macabre. Hackers strike both small businesses and the giant global enterprises alike. No industry is safe from the dark ambitions of digital threat actors. Facebook has recently suffered at their hands, with the profiles of 50 million users exposed due to numerous security bugs. Now Google—more specifically Google+, their own social networking platform—has fallen to the wolves at the door.

Today, Google announced via blog post it will be shutting down Google+ for consumers over the next ten months. The reason: Google failed to publically disclose a security bug affecting hundreds of thousands of user accounts. The bug allowed third-parties access to private data via an API including names, birth dates, email addresses, occupations, gender identities, and profile photos. The number of affected might reach up to 500,000 users. As many as 438 applications may have had access to private data via Google+.

In the blog post Ben Smith, Vice President of Engineering at Google, said: “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”

The bug lingered for several years—since 2015— before being discovered March of this year. Internal investigators discovered the issue and patched it, but they did not disclose the breach to the public after its discovery. Smith claimed in his blog post the breach did not warrant public disclosure:

“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice. Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response.”

“None of these thresholds were met in this instance.”

However, the Wall Street Journal—who originally broke the story—reported Google was in fact worried about the regulatory consequences of the breach. They provided several internal memos which warned executives of the “immediate regulatory interest” that could result from disclosure. Indeed, the coverup could land them in hot water with regulators (especially GDPR). What fees Google will have to pay remains to be seen.

Editor’s Correction October 9, 2018: Because the breach was patched in March, Google will not be subject to GDPR consequences. They will, however, be liable for other regulatory violations.  

Google, along with Facebook and Twitter, tried earlier this year to quell regulators’ fears of data privacy violations and neglect in the wake of the Cambridge Analytica scandal. This breach coverup will further tarnish their arguments for public trust. Google had previously been seen as untouchable—a reminder of just how essential threat detection and incident response is for enterprises of all sizes.  

Other Resources: 

The 10 Best Privileged Access Management Platforms of 2018

The 10 Coolest IAM and Identity Security CEO Leaders

Privileged Access Credentials (With Identity Automation)

The Importance of Edge Use Access (With Identity Automation)

Managing Third-Party Privileges with Identity Automation

IAM vs CIAM: What’s the Difference?

The Role of Identity in Digital Transformation

The Current State of Biometric Authentication in IAM

Comparing the Top Identity and Access Management Solutions

The 32 Best Identity and Access Management Platforms for 2018

 

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner