A bug-related data breach leads Google+ to shutdown
After the security experts discovered an API bug affecting the private information of 500,000 users, Google decided to shut down its social network Google+. According to the report, the vulnerability was discovered back in March 2018, during a Project Strobe audit. As it has been stated, it was patched at the time and hasn't been misused by bad actors:
We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
However, according to the blog post, various information about the user, that was not marked as Public, was exposed because of the bug. This data supposedly includes the private details, such as name, email address, age, gender and occupation of the user. As it has already been stated, there is no evidence that any profile was used for the fraudulent purpose or that any of the developers knew about the bug before it was discovered.
Google has analyzed the information about the issue and discovered that more than 400 Google+ app customers had used these APIs until the vulnerability was patched. Ben Smith, Google's Vice President of Engineering, states that this bug appeared after the API's initial launch when the code was changed in the Google+ platform.
The questionable cover-up that started way back in 2015
The vulnerability was fixed back in March, but the company kept silent about the issue until now. The fact that Google is shutting down the entire social network raised attention and confusion that maybe this is only the tip of the iceberg. However, Google disclosed that average session on the platform lasts a few seconds. This makes Google+ barely existent when compared with Facebook and Twitter.
The Wall Street Journal has reported that this bug could be exposing users' data since 2015. According to their reporters, Google took the easier route, and, instead of making the public announcement, patched the bug silently. Unfortunately, the entire network will be shut down completely in August 2019, so customers have a few months to download their data. Google also announced new privacy features for accounts and the use of private information.
Germany looking into possible legal actions on Google
No matter that some parties decided to stay still, German data regulators decided to take a closer look at this case. Johannes Caspar, data protection commissioner in Hamburg, has stated that his company is investigating this incident. The investigation may lead to fines up to a $5 billion. However, this data breach happened before the General Data Protection Regulation took place, so the consequences may differ.
The U.S Securities and Exchange Commission may initiate an investigation on Google as well. According to a former Chief of the Sec's Office of Internet Enforcement, John Reed Stark, Google should consult a neutral law firm and conduct an investigation. As a reputable company, Google should disclose the details about their findings to users who got affected.