What happened to Google+?

In the wake of last month’s Facebook breach, Google announced on Monday, October 8, 2018 that it will be permanently shutting down Google+, a social network platform, following the disclosure in the Wall Street Journal report that the company did not disclose the breach that exposed user data of up to 500,000 Google+ users, since 2015.

The bug gave outside developers access to the private, personal data of Google+ users. Despite Google’s declaration that they found no direct evidence that any of the developers were even aware of the bug, the fact remains that personal information including full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were left wide open and accessible to an unintended audience.

Perhaps more troubling than the breach itself, was the fact that Google decisively kept the bug a secret from users, with no evident plans to let anyone know. Many would argue that were it not for the Wall Street Journal report; it would still be a secret.

In their own defense, Google’s VP of Engineering, Ben Smith, is quoted as saying “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The exposed data falls under the definition of “personal data” under the European Union’s General Data Protection Regulation. However, because the breach occurred before the GPDR went into effect in May 2018, Google’s in-house lawyers, according to the Wall Street Journal, believe the company did not have a legal obligation to disclose the breach. This information is also governed under PIPEDA in Canada and if not disclosed after November 2018, may have been subject to additional fines.

The fact remains that Google did not initially disclose the bug, when discovered in March 2018, because it feared regulation and reputational damage. This statistic flies in the face of Google’s mantra and commitment to transparency which it has stood behind for years.

Scrambling to regain the footing of their initial commitment to their users, Google released a blog post discussing Google’s efforts to improve data privacy and security, titled Project Strobe, where the company presents the findings and actions taken to mitigate the issue.

With tech giants Google and Facebook facing the heat surrounding cyber-security, it should come as no surprise that your organization’s security and your customer’s privacy are paired at a cost. It is up to each organization to determine if this cost will be paid before or after a breach, with the latter always being a more significant loss to all involved parties.

The decision should be an easy one.

For more information on how you can protect your organization and your customers private information, please contact us to learn more about our application security service offerings.