Google will shut down the consumer version of its social network Google+ after announcing data from up to 500,000 users may have been exposed to external developers by a bug that was present for more than two years in its systems.
The company said in a blog on Monday it had discovered and patched the leak in March of this year and had no evidence of misuse of user data or that any developer was aware or had exploited the vulnerability. Shares of its parent company Alphabet Inc, however, were down 1.5% at $1150.75 in response to what was the latest in a run of privacy issues to hit the United States’ big tech companies.
The Wall Street Journal reported earlier that Google had opted not to disclose the issue with its Application Program Interfaces (API) partly due to fears of regulatory scrutiny, citing unnamed sources and internal documents.
Google said it had reviewed the issue, looking at the type of data involved, whether it could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take.
“None of these thresholds were met in this instance,” it said. “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
Under the European Union’s General Data Protection Regulation (GDPR), if personal data is breached, a company needs to inform a supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedom of users.
“It seems like the downside risk of having a story that says they intentionally hid information about a major breach from users is bigger than the upside of avoiding scrutiny,” said Geoffrey Parker, an engineering professor at Ivy League college Dartmouth. “I wonder if there wasn’t more depth to the internal debate.”