Google Blasted for Delay in Data Exposure NotificationAsian Security Experts Criticize 'Breach of Trust'
Many security experts in Asia are blasting Google for its lengthy delay in revealing that a bug in an API for its Google+ social networking service exposed personal details for about 500,000 accounts.
"This is one of the biggest breaches of trust by one of the most respected companies across the globe," says Jiten Jain, CEO at the India InfoSec Consortium. "Like Uber and Yahoo, Google too decided to hide about the breach from its users. And how does Google know that none of the data exposed was actually misused?"
Google, which says it believes the data wasn't misused, patched the bug in March but chose to not publicly disclose the problem, based on a recommendation made by its privacy and data protection office, writes Ben Smith, a Google fellow and vice president of engineering, in a blog post.
But the company was forced to acknowledge the incident after The Wall Street Journal on Monday reported on the data exposure.
Google announced it would shut down the consumer version of Google+, which was designed as a competitor to Facebook, citing low usage as well as intensive maintenance.
Lack of Transparency
Singapore-based Tom Wills, adviser at TuriQ, a firm which empowers blockchain startups, stresses the importance of prompt notifications of security incidents. "Companies must notify affected end users," he says. "Notify the media and consumers with an explanation of what happened and what remedial steps are being taken."
A number of news reports indicate that Google was aware of a bug in its Google+ product, but it was not aware of any cases of third parties exploiting that bug.
"If this was the case, it is most likely that the applicable regulations do not require a disclosure to be made," says Tony Jarvis, chief technology officer, Asia Pacific, Middle East & Africa, at Check Point. "All commercial grade software contains bugs, and these are usually patched as vendors become aware of them."
But Olli Jarva, managing consultant, Asia Pacific at Synopsys, says significant exposure of data should be reported regardless of whether a law requires it.
"Whether data was misused or not, it does not change the fact that the [exposure] should have been communicated to users," Jarva says. "Reputation is everything, and maintaining a good reputation takes extra effort. Companies should advise users of data breaches, even if companies believe that the data has not been misused."
Rahul Sharma, founder of the Perspective, a firm which focuses on cyber policy, notes: "Customers have every right to know what data of theirs has been compromised or leaked. This should be a practice followed by every company, and I feel a law addressing this issue must come out soon.
"Who are they to decide whether my leaked data is important or critical? If I am trusting them with my data, I have every right to know when my data gets compromised, however small the breach is."
Jain says social media companies and others fail to recognize that when they delay announcements about breaches or exposure of data, "there is a bigger reputational loss when news like this comes out. There is a complete loss of faith."