Google Kept Google+ Data Breach Quiet

Google announced Monday (October 8) that it is shutting down Google+ after finding a security bug that made data on 500,000 users accessible to developers.

In a blog post, Google said the bug in one of Google+ People APIs granted users access to profile data and the public information of their friends  as well as access to Profile files that were shared with the user but not made public. “This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender, and age. It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content,” Google wrote in the blog post. “We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” Google said up to 500,000 Google+ accounts may have been impacted by the bug. It did note that it didn’t find any evidence that any developer knew about the security flaw or abused the API. It also said it found no evidence that any data was misused. The company also said it was shutting down its attempt to take on Facebook in the world of social media because of a lack of usage with the average visit to the page around five seconds.

The blog post came hours after the Wall Street Journal, citing people briefed on the incident and documents seen by the paper, reported Google decided to keep the bug secret since the spring out of fear of drawing the attention of regulators. A memo reviewed by the paper that was prepared by Google’s legal team and policy staff and shared with executives at the company warned that if the breach was disclosed it would likely prompt regulatory interest right off the bat. The Wall Street Journal reported Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committed decided that was the direction to go.

The incident at Google+ was never reported before and underscores the search giant’s efforts to stay out of regulators’ way when it comes to how they are looking to regulate the way tech companies handle consumer data in the wake of the Facebook/Cambridge Analytica data scandal. This could hurt Google’s standing since it has said publicly that it is less of a target for data breaches like those that have happened at Facebook.

“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesman said in a statement to the paper. The statement went on to say that when deciding whether or not to disclose an incident it considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.”