Google+ shutting down after massive user data leak

Google announced it is shutting down Google Plus after discovering a security vulnerability that exposed the personal data of up to 500,000 users. The bug was discovered in March 2018, but was not publicly disclosed due to fears of regulatory scrutiny, the Wall Street Journal reported.

Background

Google Plus was introduced in 2011 as a competitor to Facebook’s social media network. Linking users to other Google products such as YouTube and its search engine, it comes with Facebook-like features such as status updates, news feeds and allowing users to organize groups of friends into “circles”. However, Google+ failed to catch on with users beyond niche communities.

Data privacy and security have been thrust into mainstream discussion following a string of major breaches worldwide. Earlier this year, Facebook acknowledged that British research organization Cambridge Analytica improperly gained access to the personal data of nearly 87 million Facebook users.

In May 2017, Europe adopted the new General Data Protection Regulation (GDPR) laws that mandate companies to notify regulators of potential data breaches or leaks within 72 hours. Firms that fail to comply could face hefty fines.

Analysis

Google is shutting down its Google+ social network after the company’s engineers discovered an API bug that may have exposed the personal data of more than 500,000 users to hundreds of external developers.

By default, Google+ allows app developers to access some Google+ data with users’ permission. In March 2018, Google discovered a bug located in a Google+ People API.

From 2015 to March 2018, it allowed developers of third-party apps to gain access to users’ data that was marked private as well. Data exposed included full names, email addresses, birth dates, gender, profile photos, occupation, places lived, and relationship status. However, Google+ posts, messages, Google account data, phone numbers and G Suite content were not impacted.

The bug was immediately patched as part of a review of how Google shares data with other apps. In a blog post, Google fellow and vice president of engineering Ben Smith said the bug likely occurred as a result of the API’s interaction with a Google+ code change.

Since the API was designed to keep logs for two weeks, Google said it cannot determine which users were impacted by the bug. Based on a detailed analysis of the two weeks prior to the bug patch, Google estimates the profiles of up to 500,000 Google+ accounts were affected. About 438 developers “may have used” the API in question.

“We found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any profile data was misused,” Smith said. "Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”

Citing unnamed sources and a memo prepared by Google’s legal and policy staff for senior executives, the Wall Street Journal reported that Google decided not to disclose the incident due to fear of regulatory scrutiny and negative comparisons to the Facebook-Cambridge Analytica scandal. Chief Executive Sundar Pichai was reportedly briefed on the issue.

Google has decided to retire the free version of Google+ by August 2019, adding that 90% of all Google+ sessions didn’t last more than 5 seconds. The company has also announced new privacy policies for Google accounts and user data.

The disclosure comes after both Facebook and Twitter disclosed breaches in recent weeks. Facebook announced a major breach affecting at least 50 million users. Twitter disclosed a bug accidentally shared users’ direct messages with Twitter app developers.

Counterpoint

The decision to shut down Google+ shortly after the revelation of the breach could set Google apart from its competitors who are also facing scrutiny over data privacy. US policymakers and regulators could view Google’s response to the issue, including its new policies that reign in developer access to data, as noteworthy.

Assessment

Our assessment is that the Google+ breach could receive additional scrutiny from US lawmakers and regulators due to the memo reported. We believe it also raises concerns about major companies discussing how the disclosure of such security incidents would appear to regulators, given that there is no federal law requiring companies to disclose such bugs. We feel that although Google’s security issue occurred before GDPR rules went into effect, such events in the future will likely be met with further fines and reputation damage.