Google has announced it will wind down it’s Google+ service for consumers following a data breach involving up to 500,000 accounts – which the company elected not to disclose – following the publishing of an article in The Wall Street Journal.
Witnessing Facebook and Mark Zuckerberg undergo the fallout of the Cambridge Analytica debacle, Google chose not to disclose its own leak.
An internal memo obtained by The Wall Street Journal detailed the fears of company policy & legal officials that disclosing the breach would result “in us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal”. The memo also notes that notification of the breach would invite “immediate regulatory interest” and “almost guarantees [Pichai] will testify before Congress.”
In striking similarity to the Facebook & Cambridge Analytica scandal, the data breach was discovered in March after the search giant uncovered a bug in the Google+ API that allowed third-party app developers to access not only the data of users who had granted permission to the apps, but of their friends too.
In a blog post on the company's website, Google vice president of engineering, Ben Smith, admitted that the breach had potentially affected 500,000 accounts and up to 438 different third-party applications which may have had access to private information.
Google has confirmed that affected data was limited to static, optional Google+ profile fields including name, email address, occupation, gender and age, but is unable to confirm which users may have been affected due to a two week restriction on the retention of API log data.
Given the data available within the breach, experts believe it is unlikely that it was used maliciously – if at all – but the lack of public disclosure, and internal communications detailing the concerted effort to avoid public scrutiny has raised serious ethical concerns around the company’s transparency.
The Australian Data Privacy Certification Register will assess the merit of issuing an official data breach alert over the coming hours.
More to come.