Skip to content
Link copied to clipboard

Google for months kept secret a bug that imperiled the personal data of Google+ users

Google will close most of its failing social media platform Google+ after discovering that hundreds of thousands of users potentially had their personal data exposed because of a previously undisclosed software bug.

People walk by Google offices in New York. Google is closing the consumer version of its long-spurned Plus social network after discovering a bug earlier this year that leaked some of the personal information about up to 500,000 people who still have accounts on the dying service.
People walk by Google offices in New York. Google is closing the consumer version of its long-spurned Plus social network after discovering a bug earlier this year that leaked some of the personal information about up to 500,000 people who still have accounts on the dying service.Read moreAP

Google kept quiet for more than six months after its discovery of a bug that put at risk the personal data of hundreds of thousands of Google+ users, the company said Monday, a delay that could spark a new round of regulatory scrutiny.

Google found the bug in March and repaired it, according to a Google blog post. But the delay until October in revealing it could reignite long-standing complaints from federal and state lawmakers that tech giants such as Google are reckless with user privacy and not forthcoming enough when breaches and other incidents happen.

Google discovered and made its decisions on handling the Google+ security bug in March, the same month that Silicon Valley rival Facebook was facing massive scrutiny over its role in allowing people affiliated with political consultancy Cambridge Analytica to collect data on 87 million users.

The decision to not immediately report the software bug, which included briefing chief executive Sundar Pichai, was discussed in an internal document that expressed concerns about the company's reputation and the possibility of increased scrutiny from regulators, said a person familiar with decision-making at Google who spoke on the condition of anonymity to describe sensitive matters.

This person said the document, first disclosed by the Wall Street Journal, was not part of the official decision-making process at Google. Pichai recently agreed to testify before Congress, but a date has not yet been set.

In its blog post Monday, Google announced that it will sharply curtail Google+, its failing social media offering, limiting it to only business and other enterprise customers. The company also announced new limits to the information, such as call logs, that outsider developers can gather on Android, the Google operating system used by most of the world's smartphones. And the company will impose new limits on the data shared about users of its popular email service, Gmail.

The Google+ incident is different in several key ways from Facebook's scandal with Cambridge Analytica, which triggered federal investigations from multiple agencies. An internal Google company review, called Project Strobe, discovered the bug allowing outside software developers to potentially gain access to personally identifiable information on users, including names, email addresses, ages, occupations, and sex.

But the company has said that no other information was put at risk and that it has no evidence that any of the data was improperly collected by outsiders. Google also said it was unable to determine whose data was exposed. A review of two weeks of data in March, the company said, showed that as many as 500,000 people may have had their information at risk to developers from 438 software applications.

"This review crystallized what we've known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps," said the company blog post. "The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds."

In the blog post, Google said it did not immediately announce the problems with Google+ because it was not sure which users were affected, whether the data had been misused, and what affected users could do to protect themselves. The decision was made by a standing company committee, the Privacy & Data Protection Office, before being reviewed by senior executives.

Google's disclosure comes at a time when the SEC is putting increasing pressure on corporations to disclose data-security episodets and has reopened its cybersecurity unit. This year, the SEC fined the company formerly known as Yahoo $35 million for failing to tell investors about a massive cyber-breach for two years — the first time the regulator has punished a company for such conduct.

"This is the kind of disclosure situation that the SEC will absolutely investigate," said John Reed Stark, who spent nearly 20 years in the SEC's enforcement division and now runs a cybersecurity consulting firm. "The SEC enforcement staff are likely scouring Google's public filings and other statements to review all relevant disclosure."

Even if a third party did not exploit the security vulnerability identified by Google, the SEC would likely be interested in whether investors were properly notified about the risks and about the incident, Stark said.

Alphabet shares fell 1 percent to $1,148.97 at the close in New York, after earlier dropping to $1,135.40, the lowest intraday price since July 5.

"This has been going on for too long," said Marc Rotenberg, president of the Electronic Privacy Information Center. "Companies like Google experience these breaches. They don't report them. They don't suffer consequences."

The Federal Trade Commission needs to step up and start investigating the company's privacy practices, he said.

The FTC, as the nation's chief privacy watchdog, has the authority to investigate data breaches. In 2011, it found that Google broke its own privacy policies when it introduced its Buzz social network — a precursor to Google+. The company is still under a consent decree stemming from that incident that requires it to implement a privacy program. The FTC can fine companies when they violate terms of a consent decree.

This article contains information from Bloomberg.