In a blog post, the company explained that they “discovered and immediately patched” a bug in March, but did not notify users.
“Every year, we send millions of notifications to users about privacy and security bugs and issues,” the statement said. “Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
The bug made Google Plus profiles, which included basic personal information such as one’s name, email address, occupation, gender and age. It did not compromise phone numbers, messages or any data that would have been connected to Google Plus.
Google explained that they cannot determine which accounts were affected by the bug because the logs were deleted months ago, but projected that up to 500,000 Google Plus accounts could have been made vulnerable.
The company is also limiting access developers have to users personal data. The blog post said there was no evidence the compromised data was misused.
The Wall Street Journal, which reported the bug Monday morning, cited a memo from Google’s legal and policy team cautioning senior Google officials that going public with the data breach would spark talk of regulation. It compared the breach to Facebook’s Cambridge Analytica scandal, which occurred about the same time.
Copyright © 2020 The Washington Times, LLC.