International Regulators Begin Investigation into Google’s Data Breach

Two states within the United States are joining two European Union member states in investigating the breach at Google’s parent company Alphabet Inc. Data security experts currently estimate 500,000 users had their profile data exposed.

On Monday, Google announced it would end its dying social network platform Google+. While that caught the attention of many, it wasn’t the biggest surprise of the day. Google also said it would tighten up data-sharing policies after a “bug” potentially released usernames, email addresses, genders, and ages to third-party developers.

The US-based investigation begins

New York and Connecticut are the two states formally investigating Google with the breach, according to press reports.

Google said the issue was resolved in March and that no developer exploited the vulnerability of the data per the company’s internal review.

“We are aware of public reporting on this matter and are currently undertaking efforts to gain an understanding of the nature and cause of the intrusion, whether sensitive information was exposed, and what steps are being taken or called for to prevent similar intrusions in the future,” Jaclyn Severance, a spokeswoman for Connecticut Attorney General George Jespen, told the press.

A report from the Wall Street Journal published on Monday explained Google decided not to tell everyone about the security issue because they didn’t want to face regulatory scrutiny. The Wall Street Journal cited unidentified sources and an internal memo created by Google’s legal and policy staff for upper executives.

International investigations start questioning Google

The two states are joined by European powers Germany and Ireland in filing their respective claims. Ireland’s data protection regulator told the press it was pushing for more information from Google regarding the breach.

[see-also]

“The Data Protection commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google,” it said.

German regulators in Hamburg are also doing an investigation. The data breach happened shortly before the EU-wide General Data Protection Regulation (GDPR). Under Germany’s old data protection law, Google would be fined a maximum of $345,000 USD or 300,000 Euros. However, GDPR -- which went into effect on May 25 of this year -- would fine a company up to 4 percent of its annual global turnover.

“We have sent a series of questions to Google,” said spokesman Martin Schemm.

Interesting Engineering will continue updating this story as more information becomes available.