Yesterday, Google became the latest tech giant to admit a potential data breach after a software bug in the Google+ social network exposed user information.
Despite exposing data belonging to hundreds of thousands of users, Google chose not to reveal the details because it feared damage to its reputation, according to an article in The Wall Street Journal.
So, what exactly happened?
Between 2015 and March 2018, outside developers would have been able to potentially access personal Google+ profile data due to a software glitch in the site. When the breach was discovered, Google decided not to notify the social network’s users. An internal memo warned that revealing the leak would result in “regulatory interest” and lead to comparisons to Facebook in the wake of the Cambridge Analytica scandal.
Users can grant access to their profile data to Google+ apps, via the API. The bug meant apps also had access to profile fields shared with the user, but not marked as public. Google says this data is limited to “static, optional Google+ profile fields” including name, email address, occupation, gender and age. The technology giant says: “It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.”
However, because Google keeps the API’s log data for only two weeks, it says it cannot confirm which users were impacted by this bug. After running a “detailed analysis” over the two weeks prior to patching the bug, Google thinks the profiles of up to 500,000 Google+ accounts were potentially affected.
Google claims it found “no evidence that any developer was aware of this bug, or abusing the API,” adding: “We found no evidence that any profile data was misused”.
What should I do now?
Google+ is not a popular social network. However, many users created accounts to sit alongside their other Google products, such as Gmail. If you, like most people, have not been using the service, it won’t be a great loss to shut it down now.
You can find your account by logging into your Gmail. Once you have opened Google+, go to ‘settings’ on the left-hand side. If you scroll to the bottom, there’s an option to delete your account. You will then be prompted to sign in and will be again asked if you are sure you want to leave. Google will ask for the reason you are leaving. The final option is, interestingly, “I don’t know who can see my data”.
Is this issue fixed?
According to Google, yes. In March 2018, the glitch was fixed when it was discovered by internal investigators. However, it will degrade trust in Google at a time when big tech companies are already under scrutiny from both regulators and users.
Is the breach impacted by GDPR?
Google’s reaction to this breach of user data shows the lengths companies will go to avoid public scrutiny, which in this case, has backfired. However, because the issue was discovered and fixed before March 2018, Google will not be liable for the fines under the EU update to data protection regulation (GDPR) of up to 4% of turnover.
It’s also worth noting the number of accounts possibly compromised – 500,000 – is dwarfed by the 50 million figure originally stated by Facebook. Google+ had few users, which in this case worked to its advantage.
What is Google doing now?
The company announced in a blog that it will be “sunsetting” Google+ for consumers and instead offering the service to business customers. It is also tightening up its security and privacy measures across the Google suite. It says: “In the coming months, we’ll roll out additional controls and update policies across more of our APIs. As we do so, we’ll work with our developer partners to give them appropriate time to adjust and update their apps and services.”
The firm is launching more granular Google account permissions that will show in individual dialog boxes. For example, it says: “When an app prompts you for access to your Google account data, we always require that you see what data it has asked for, and you must grant it explicit permission.”
The company adds: “Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure. By giving developers more explicit rules of the road, and helping users control your data, we can ensure that we keep doing just that.”
What does this tell us about how tech companies are using and protecting data?
After the Facebook hack was revealed only last month, trust is at an all-time low. Tech firms collect huge amounts of user data, yet their security measures are often woefully inadequate.
Technology is supposed to make people’s lives easier, but all too often, the companies that collect data are not being clear about how they use it and are failing to protect it from hackers.