Data breaches are becoming more prevalent. Last week, the Wall Street Journal revealed internal memos about a security vulnerability in which third-party developers could access data from over 500,000 Google+ accounts. This data included usernames, occupation, date of birth, gender and more. Google upholds that no actual information was scraped and that it was only a potential data breach.
So if there was no breach then why is everyone so worked up? Well, according to the memos the bug was detected and fixed in March 2018. This means that Google was aware of the potential breach for 7 months before being exposed and by the looks of it, Google had no intention of disclosing this at all. The internal memo stated that disclosing the incident could trigger “immediate regulatory interest” and invite comparisons to Facebook’s Cambridge Analytica data breach which had occurred that same month.
Why Does This Matter?
Some people found the breach funny or irrelevant, mainly because Google+ was never as popular as it was supposed to be to begin with and it didn’t have a huge user base (compared to Facebook which Google+ was supposed to rival). What is worrying is that, at one time, millions of people made Google+ accounts that still exist years after Google+ stopped being a meaningful social media platform.
This is a story about how our digital footprint we create and subsequently forget about can easily come back to haunt us. It would be like when the world eventually stops using Facebook or Twitter and then years later your dormant account and millions of others are hacked and information is leaked. Is it a laughing matter since everyone else has moved on to a new social platform?
Google wasn’t legally required to disclose the incident to the public as no legitimate breach occurred. However, Google could potentially face class-action lawsuits over its decision to not disclose the incident. Whilst laws such as the GDPR and the Notifiable Data Breach Scheme are in place, are they enough? Should big companies also face fines for not disclosing whether a potential breach could have taken place?
Too Little, Too Late?
Google claim they are planning on taking measures to clamp down on security. One of these measures is to shut down Google+ all together. The company will also limit the amount of access third party developers have with other Google applications.
This is Google’s second big data scandal this year, The Associated Press found that Google collected the location data of Android users even if their location history setting was turned off.