The New York Attorney General and the Connecticut Attorney General are investigating the Google data breach that may have exposed the private data of at least 500,000 users.
Google announced Monday (October 8) that it is shutting down Google+ after finding a security bug that made the data accessible to developers.
In a blog post, Google said the bug in one of Google+ People APIs granted users access to profile data and the public information of their friends, as well as access to Profile files that were shared with the user but not made public. But the incident was never reported, which could hurt the company’s standing since it has claimed that it is less of a target for data privacy breaches.
“We are aware of public reporting on this matter and are currently undertaking efforts to gain an understanding of the nature and cause of the intrusion, whether sensitive information was exposed, and what steps are being taken or called for to prevent similar intrusions in the future,” Jaclyn Severance, a spokeswoman for Connecticut Attorney General George Jepsen, told Reuters in an email.
The New York Attorney General’s office also said it was looking into the breach. In addition, Ireland’s data protection regulator said it would request additional information from Google regarding the breach.
“The Data Protection Commission was not aware of this issue, and we now need to better understand the details of the breach — including the nature, impact and risk to individuals — and we will be seeking information on these issues from Google,” the regulator said.
In the meantime, Google has attempted to explain why it didn’t disclose the breach to the public.
“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement, adding that when deciding whether or not to disclose an incident it considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”