Google+ shutdown – response to data leak caused by bug | No user data misused, claims Google.
Google has shut down consumer access to Google+ after announcing 500,000 users may have been exposed to a bug.
The software anomaly is thought to have been present in Google+ for more than two years.
Despite discovering and patching the leak back in March, shares in parent company Alphabet were down 1.5%. A typical response to the latest in a series of privacy issues to hit big tech firms.
In a statement about the Google+ shutdown, a Google spokesperson said:
Our Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response.
None of these thresholds were met in this instance.
Google added that they had found no evidence that any of its developers was aware of this bug. They also said no evidence that any Profile data was misused.
Late disclosure of data leak causing Google+ shutdown
In a blog post disclosing the data leak, Google admitted the leak potentially affected up to 500,000 user accounts. Interestingly, this comes almost seven months after the leak was discovered. According to the Wall Street Journal, Google’s CEO, Sundar Pichai was briefed on the plan not to notify users after an internal committee had made that decision. As many as 438 third-party applications may have had access to personal information as a result of the bug. However, Google claimed it has no way of knowing, as it only maintains API usage logs for two weeks. Under GDPR law, when personal data is breached, a company must inform the ICO within 72 hours. However, this is not necessary if the breach is unlikely to result in a risk to the rights and freedom of individuals. There is currently no U.S. federal law that requires Google to disclose a data leak. There are however, laws at a state level. Google’s HQ is in California, where companies are only required to disclose a data leak if it includes certain data. This includes:
- individual’s name and Social Security number
- ID card or driving license number
- vehicle registration plate
- medical informatiuon, or;
- health insurance information