Google said it would shut down Google Plus, the company’s floundering answer to Facebook, after it discovered a security vulnerability that exposed the private data of up to 500,000 users of the service.
When the company’s technical staff discovered the bug in March, they decided against disclosing the issue to users because they hadn’t found anyone that had been affected, the company said in a blog post on Monday.
That decision could run afoul of relatively new rules in California and Europe governing when a company must disclose a security incident. In the blog post, Google said its “Privacy & Data Protection Office” decided the company was not required to report the security issue.
Google looked at the “type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance,” wrote Ben Smith, a Google vice president of engineering..
Up to 438 applications may have had access to the vulnerability, but Google said it had found no evidence that outside developers were aware of the security flaw and no indication that any user profiles were misused.
The incident could face additional scrutiny because of a memo to senior executives reportedly prepared by Google’s policy and legal teams that warned of embarrassment for Google — similar to what happened to Facebook earlier this year — if it went public with the vulnerability.
The memo, according to The Wall Street Journal, warned that disclosing the problem would invite regulatory scrutiny and that Sundar Pichai, Google’s chief executive, would likely be called to testify in front of Congress.
Earlier this year, Facebook admitted that Cambridge Analytica, a British research organization that had done work for the Trump campaign, had improperly gained access to the personal information of up to 87 million Facebook users. Mark Zuckerberg, Facebook’s chief executive, spent two days testifying in congressional hearings about that incident and other issues.
The decision to shut down Google Plus was part of a broad review of how much user information Google shares with third-party developers. Google, a unit of Alphabet, also said it is limiting the apps that can work with Gmail, the company’s email service, and constraining the amount of data that developers can access through Android, Google’s smartphone software.
Follow Daisuke Wakabayashi on Twitter: @daiwaka