On October 8, The Wall Street Journal broke the news that, as early as 2015, a flaw in Google’s social media platform, Google+, made it possible for third-party developers to access data from users’ non-public profile fields.
According to The Wall Street Journal, Google first became aware of the flaw in May of 2018 but chose not to disclose this information to the public. At the time, the world was still reeling in the wake of the Cambridge Analytica scandal, and many of have interpreted Google’s reticence as an attempt to deflect regulatory scrutiny and disassociate itself from Facebook.
The half-million Google+ users impacted by the leak may seem paltry compared with the 50 million Facebook users who learned that portions of their profile information had been harvested by survey participants within their social connections, and then monetized and used for political purposes. However, the fact that Google suppressed this information for several months, with questionable intentions, may serve to amplify the perceived severity of the breach.
In parallel with the recent announcement, the company has shuttered the consumer version of Google+ and announced that it will introduce a host of new security measures for Gmail and Android apps. These new security measures will, among other things, increase transparency, curb developer access, and give users greater control over the data they share.
Importantly, the Google+ data leak is only the most recent in a growing number of cyber events, impacting not just technology companies, but banks, retail stores, and even school districts. In this climate, businesses and organizations need to work proactively to ensure they have the appropriate privacy and security practices in place.