Read the full story on Data Breach Today - click banner
Google says a bug in an API for its Google+ social networking service exposed personal details for about 500,000 accounts, but it believes the data wasn’t misused.
Google patched the bug in March but chose to not publicly disclose the problem, based on a recommendation made by its privacy and data protection office, writes Ben Smith, a Google fellow and vice president of engineering, in a blog post.
But the company was forced to acknowledge the incident after The Wall Street Journal on Monday reported on the data exposure. Citing anonymous sources and internal documents, the publication reported that Google feared it would be subjected to regulatory scrutiny and reputational damage if the details of the bug became known.
Google’s decision to not disclose the data leak is likely to raise eyebrows because technology companies have faced increasing pressure and regulatory scrutiny over their data handling and privacy practices.
In its blog post about the data exposure, Google didn’t specify where the affected users may have been based, or if it had alerted any countries’ privacy regulators to the data exposure.
A Google spokeswoman declined to comment on the location of the users whose data was potentially exposed. “Every year, we send millions of notifications to users about privacy and security bugs and issues,” she tells Information Security Media Group. “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
In the case of this data exposure, she says that Google’s internal review found that it would not be able to identify which users to inform, and also concluded that there was no “evidence of misuse” or actions that developers or users might take, as a result, and so the company chose to not issue a notification.
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations,” she says. “Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.”
Consumer Google+ to Shut
As part of its data exposure announcement on Monday, Google announced that it will close the consumer version of Google+, which was designed as a competitor to Facebook but never gained traction, in 10 months.
Google cited low usage as one reason for the closure, as well as the intensive maintenance needed to keep it running. But the company does plan to continue to offer an enterprise version, because “we have many enterprise customers who are finding great value in using Google+ within their companies,” Smith says in his blog post.
“Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network,” he says.
Global Web Hosting, Domain Registration and Internet Services