Analysis: Google's Problematic Response to Data Exposure
Google’s social media platform Google+ left 500,000 users’ personal information vulnerable to unauthorized disclosure due to a security bug, according to findings revealed by the Wall Street Journal. Making matters worse, Google was aware of the problem in March of 2018 but intentionally withheld knowledge of the security issue from its users due to fears of negative publicity.
Google+ API allowed unauthorized third-party access to users' personal information
The security bug that exposed user data was caused by the platform’s API, or Application Program Interface, which allowed third-party apps to access Google+ user information. When a user allowed a third-party app to access their own Google+ profile, the API also allowed the third-party app to access the Google+ profiles of all the user’s friends. Third-party apps could access the names, email addresses, birthdays, gender, photos, occupations, relationship status, and places a user lived from exploiting the security bug.
Knowledge of the incident withheld to avoid backlash
Google became aware of the security problem in March of 2018, and quietly fixed the problem with no intention of informing users of potential unauthorized access to their personal information. Earlier in the same month, Facebook received negative publicity and backlash over the Cambridge Analytica scandal, in which the political consulting firm leveraged a similar API bug to access millions of Facebook profiles without users’ consent. Cambridge Analytica used the Facebook information it acquired to target specific voters in the highly polarized 2016 US Presidential election. Documents indicate that Google feared a similar response and declined to notify users of the incident.
The importance of honesty in Incident Response
Google’s lack of transparency responding to the security incident damaged user trust and the company’s reputation. Instead of being forthcoming with its knowledge of the API bug in a relatively small social media platform, Google intentionally withheld information from users to prevent association with Facebook and the Cambridge Analytica scandal. While Google states there is no evidence that its API security bug was abused, the public’s reaction to the vulnerability was likely made much worse by the tech giant’s efforts to hide their discovery. Alphabet, Google’s parent company, suffered lossesin the stock market after it was revealed that knowledge of the security bug in Google+ was withheld from the public.
Google’s handling of its security bug demonstrates the need for organizations to have an established incident response plan and public relations strategy in place. Users value organizations that properly secure their data, but also value transparency and honesty when an incident that violates their data security occurs. Withholding information is a surefire way to lose user trust and damage an organization’s reputation. As cyber threats increase in complexity and volume, it’s critical for businesses to be prepared to handle incidents that impact user data.