Google has announced that it has suffered a second data breach on its social media platform Google+, two months after a high-profile Google+ breach saw the company announce it would be closing the service.
This latest breach, which was the result of a bug in a Google+ API, saw personal information that was not set to public exposed, and allowed apps to access data that had been shared privately between users.
Google has said that it impacted “approximately 52.5 million users”, making this a far more severe breach in terms of scale than the one the company admitted to in October, which impacted just 500,000 people.
However, the October incident attracted considerable criticism of Google because it had occurred in March, but was not admitted to until much later in the year when an investigation by the Wall Street Journal forced Google’s hand.
Will the second Google+ breach harm public trust?
Google opted to announce this breach in a sober blog post shortly after it was discovered, which may be a sign the company is trying to avoid past mistakes. However, it may not be enough to stop further harm to public trust in the company.
“This announcement comes shortly after Google’s October disclosure of a security bug that affected approximately half a million users. Companies with repeated security incidents tend to lose even more public trust as it demonstrates a failure to learn from previous mistakes,” said Stephan Chenette, co-founder and CTO of AttackIQ.
“However, compared to Google’s last breach, the company disclosed this bug much sooner and is trying to be more transparent. In that regard, Google has learned that while security incidents have short-term impacts on stock prices, the long-term price is heavily influenced by how the company handles public disclosure of the breach. “
However, while data was exposed for a far shorter time than the previous incident, it still was at significant risk.
“Google is stressing that the information was only exposed for six days due to a bug in their API, however significant damage can be done in a matter of minutes,” said Mark Weiner, CMO of Balbix.
Google+ closure expedited in response to second breach
When it admitted it had suffered the first breach, Google also announced that it would be shutting down the consumer version of its platform, with a planned closure date of August 2019.
However, this second breach has led Google to speed up the process, presumably in attempt to mitigate further damage to its reputation – or, in the case of a fine being applied, its bank balance.
“We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019,” wrote David Thacker, VP of product management, G Suite, in the blog post admitting the second Google+ breach.
“We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.”
Breach highlights importance of security controls visibility
While Google is taking the unorthodox approach of ditching its platform over the incidents, for other companies it is a reminder of the importance of being able to see platform vulnerabilities.
“Data leaks of any kind have become far too common and are usually caused by security issues, or in Google’s case, technical errors, that are easily preventable,” said Chenette.
“Unauthorised exposure of any type of customer data, for any period of time, is a serious issue and organisations should always have a plan to continuously assess the viability of their security controls.”
“Unfortunately, most organizations today – even hyper-scale providers – do not have adequate visibility into the hundreds of attack vectors that could possibly be exploited by threat actors. And even when vulnerabilities or security gaps are detected, most organizations struggle in deciding what remediations to prioritise, given limited IT resources and manpower,” added Weiner.
“In the coming months and years, organizations will increasingly rely on security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors, and to produce lists of prioritised fixes based on potential business impact.”