Google+ Shut Down After Data Bug Exposes 500,000 Users to App Developers for Three Years
What happened
Google disclosed a bug in the Google+ API that had exposed private profile data of up to 500,000 users to third-party app developers since 2015. Google had discovered the bug in March 2018 but declined to disclose it publicly, partly citing concerns about regulatory scrutiny. The Wall Street Journal broke the story in October, and Google announced the platform's shutdown.[1]
What went wrong
Google discovered the breach in March 2018, conducted an internal review, and decided not to notify affected users or regulators. The concealment was reportedly driven by concerns about regulatory reaction. When the WSJ story broke seven months later, the concealment proved more damaging than the underlying bug.[1]
Lesson learned
Data breaches must be disclosed according to regulatory timelines regardless of the perceived PR impact of disclosure. Internal documents recommending concealment become the story when they leak. The decision to delay disclosure of a privacy incident is almost always worse than timely, controlled disclosure.
Sources
- [1] Wall Street Journal Google+ Shut Down After Data Bug Exposes 500,000 Users to App Developers for Three Years