Timeline of Events

March 2018 – Google’s internal staff discovers a bug in its software that exposes the private information of 500,000 Google + users to third party software developers. Google fixes the bug, which it believes existed since the initial launch of Google+ in 2011.

October 2018 – Google publishes a blog post revealing the incident to the public, approx. 6 months after its initial discovery.

In March 2018, a bug was discovered in Google’s software that exposed the personal data of approximately 500,000 Google+ users to third party software developers. This info included names, email addresses, ages, occupations and relationship status. The bug was fixed shortly after its discovery, and none of the data was found to have been exploited. However, Google did not make the bug known to the public for another six months, when the information was revealed in a blog post about data security.

Why did Google wait so long to go public?

According to an internal source, Google’s Privacy & Data Protection Office committee recommended that company executives not publish the incident publicly, due to fears that news of the bug would damage Google’s reputation and cause stricter regulation standards to be placed on the company. Consequently, executives agreed not to mention the bug until this October. Contrary to this statement, Google’s official sources stated that the company chose not to announce the vulnerability because it was still unsure which users had been affected and to what extent.

What’s next for Google?

Google plans to make several changes in response to the incident. 

  • Google intends to discontinue Google + for most users, leaving only business accounts active.
  • Information collected from Gmail users through Android, a mobile phone OS, will be protected by stricter limitations on data sharing.

Despite these improvements, both The Securities and Exchange Commission (SEC) and The Federal Trade Commission (FTC) are looking into the withheld information. John Reed Stark, who spent 20 years in the SEC enforcement division, stated, “This is the kind of disclosure situation that the SEC will absolutely investigate.” Earlier this year, the SEC fined Yahoo $35 million USD for not disclosing a data breach to investors for two years after the incident took place. This precedent is expected to be upheld in the SEC’s dealings with Google on this matter.

The takeaway

CYBER SECURITY IS CRITICAL FOR ANY BUSINESS! Take precautionary measures. Have a disaster recovery plan. Hire KNOWLEDGEABLE IT support staff. These actions will make all the difference for your business. Need help getting started? Call PCI at 914-934-9775 or email info@p-connect.com and we’ll help you protect your data.