In short: US attorneys general for both New York and Connecticut, in addition to both Germany and Ireland’s data protection agencies, are now looking into the recent Google+ security flaw which may have affected as many as 500,000 users. No specific details have been provided as to the extent or status of the inquiries. In the meantime, both the offices of Connecticut Attorney General George Jepsen and Ireland’s Data Protection Commissioner have indicated a similar scope to their respective investigations. Of primary concern for either is the exact nature of the vulnerabilities and determining whether any possible leaks occurred as well as how similar risks can and are being mitigated by the company moving forward. German authorities are taking a more narrowly scoped approach in trying to determine the extent to which German Google+ users may have been affected.
Background: The news of the investigations follows reports that Google’s social network had suffered vulnerabilities which could have exposed sensitive user data such as full names, birthdates, email addresses, occupation, gender, and relationship status to developers. The company has not been entirely clear about the details of those vulnerabilities but has said that patches were implemented when the problem was discovered back in March. However, the issue at hand stems from the fact that Google chose not to disclose the discovery and, to the contrary, is reported to have actively suppressed information about the problem. After news of the security breach broke, the search giant also announced that it would be closing down Google+ permanently in August 2019 rather than continuing to maintain the product.
Impact: Google has adamantly stated that there is no evidence the vulnerabilities were taken advantage of and no way to know which accounts may have been affected but has not commented on new reports of an ongoing investigation. That may be at least partially because there appears to be some uncertainty about which office or agency should handle the matter and the overall range of possible consequences for the company is substantial, depending on how that plays out. Although the EU has implemented its General Data Protection Regulation (GDPR) as of May 25, specifically designated to handle these matters, the breach occurred prior to that. Under GDPR, Ireland would be the lead authority in the investigation and Google could face fines of up to 4-percent of the company’s annual global turnover. Under the previous laws and Germany’s data protection rules, Google’s maximum fine in the country would be around $345,000.