In early October of this year, Google announced their long-beleaguered social media platform Google Plus (stylized Google+) suffered a data breach; a bug allowed third-parties access to private user data via an API, affecting as many as 500,000 users.
In the wake of the breach—and the allegations of an initial cover-up—Google announced they would be shutting down Google Plus for consumers in August 2019. Google Plus for enterprises would continue as normal.
However, it seems Google’s shutdown timeline may have been too generous.
Yesterday, Google publicly disclosed Google Plus suffered a second personal data exposure, also resulting from an API bug. This time, the number of users affected could reach as many as 52.5 million individuals.
According to Google’s public statements, internal researchers discovered the bug through normal investigation processes; hackers did not exploit the bug prior to discovery. In the wake of these new revelations, Google announced their plans to accelerate the shutdown of Google+ for consumers. Google scheduled the shut down for April 2019. Google+ APIs for the consumer-version of the social media platform will be shut down within 90 days.
The API bug in question for the second Google+ data exposure allowed developers and apps to gain access to user profiles including information set to “not public.” The personal data exposed included names, ages, occupations, and email addresses. Google stressed the exposure did not affect financial information and passwords.
What does the second Google Plus data exposure mean for enterprise identity and access management? What lessons can enterprises take away from this highly scrutinized data exposure?
Here are some of our conclusions
The Consequences of a Cover-Up
When the Wall Street Journal broke the story of the initial Google+ data breach, they reported internal memos encouraging the search engine giant cover up the breach to avoid regulatory attention. Google denied these, but the allegations haunt their current efforts to handle the wake of the second Google+ data exposure.
Google’s reputation and brand image took a major hit following the first announcement, emphasizing the growing conversation about privacy, data usage, and the public responsibility of companies like Google and Facebook. Google CEO Sundar Pichai is scheduled to testify before Congress today on accountability; how this latest announcement will affect his testimony remains to be seen.
One of the most important lessons any enterprise can learn from the second Google+ data exposure is never to try covering up a data breach. The long-term reputational damage isn’t worth any short-term savings from avoiding regulatory scrutiny; it can affect your brand image and bottom line for years after the fact. Further, certain compliance mandates such as GDPR inflict harsher penalties on enterprises who fail to publicly disclose a breach in a timely manner after discovery.
Instead, your identity and access management platform should include a comprehensive incident response plan which includes informing compliance enforcers and the public.
The old saying goes “the cover-up is worse than the crime.” The same is true of data breaches. Showing you take the breach seriously and that you care about your consumers’ and employees’ PII can go a long way in maintaining your brand reputation.
Secure Your APIs
The second Google Plus data exposure shared plenty of similarities with its older counterpart. The API vulnerability at the heart of the issue proves the most significant. According to IAM and PAM solution provider Ping Identity, APIs remain a continual cybersecurity afterthought. 45% of IT security experts state they’re not sure if their enterprises are aware of all their APIs. 30% did not know if their enterprise had suffered a data breach or security event involving their APIs.
This lack of visibility can cause massive security problems, as Google proves with their latest disclosure. In order to gain a better handling of APIs, enterprises should consider employing more advanced authentication systems. These can include token-based systems such as OAuth or SAML. It can also involve a granular consent model which can regulate the access applications and developers have in accessing user profiles.
Above all, the Google Plus data exposure should remind enterprises that vulnerabilities persist. Just changing your cybersecurity stance and attitude is only one half of the equation. You also need to adopt the IAM technology and solutions to protect the most exposed aspects of your network. Even the smallest issue can have massive consequences.