2018 Google data breach

The 2018 Google data breach was a major scandal in late 2018 when Google engineers discovered a software leakage within the Google+ API used in the social media network. As over five million user's data was compromised. This led to the immense news coverage on consumer privacy levels within Google+ and the shutting down of the Google+ consumer social network on 2 April 2019.

The harvesting of personal data was first noticed by Google+ producers in March 2018 during a review of its operations following the Facebook–Cambridge Analytica data scandal. The bug was immediately fixed however led to approximately 500,000 Google+ private users data being open to the public. Google did not disclose this information to the social network's consumer database. On 8 October 2018, the article Google Exposed User Data, Feared Repercussions of Disclosing to Public was published by The Wall Street Journal. Following this, in August 2019 Google made a simultaneous blog post announcing the shutting down of Google+ as there was low consumer use and technological challenges.

Within November 2018, another data breach was found within a Google+ API software update. The bug was fixed within a week and there was no evidence that any third party developer compromised the system. However, approximately 52.5 million non-public profile fields were exposed to alternative apps that requested access to individuals Google+ ID, and created access to other profiles that had shared information with each other.

Due to these data breaches, consumers called for greater consumer protection in online media and Google moved the Google+ social media shut down date to 2 April 2019, with legacy Google+ API's being shut down on 7 March 2019.

Overview of Google+
In June 2011, Google+ was launched as an invite-only social network and then become a public database later in that year. Google+ was managed by Vic Gundotra, Google's senior vice president of engineering. Similar to Facebook, Google+ acted as a social media database for posting photos and creating status's on individual feeds yet included the key features including Circles, Hangouts and Sparks.

Circles were created to allow consumers to personalise their social groups by sorting friends into different categories. Once allowed into a Circle, the person can be allowed to see particular content and be restricted from others. Therefore, users can regulate access of information in their individual spaces. Hangouts included video chatting and instant messaging between consumers. The other key feature of Google+ was Sparks; where Google tracked your past searches using keywords to find news and content related to a user's interests.

Along with being a social network, Google+ was produced to be the social layer of Google and its many apps and hence was used within other Google Profiles such as YouTube, Gmail and others. Google+ had over 2 billion user accounts within its interface as it gave access to many Google apps including Gmail and Google Drive. However, less than 400 million consumers were actively using the social media aspect, with 90% of these users using the social network for five seconds. Hence, Google+ did not have a large amount of consumer interaction within the social media network.

Along with the data breaches, Google+ saw limited consumer interaction with apps and low social media usage and so, the social network was shut down on 2 April 2019.

Characteristics of the data breach
In January 2018, a formal assessment of third-party developers and app access to Google accounts was created named Project Strobe. Through this project, privacy platforms were examined and tightened as consumers were concerned of data privacy. Google Project Strobe constructs a review on consumer's profiles, identifying what parts of a profile third-party developers are able to access. Many third-party apps use Google+ as a service to improve communication, working life and online experience. In March, the analysis of Application Programming Interfaces (API) showed a data breach within the Google+ People API where external apps acquired access to Profile fields that were not marked as public.

Google found that there was no evidence of any user's personal information being misused. A detailed analysis identified that 500,000 Google+ accounts were included in this data breach which was capable of allowing 438 external apps without authorisation to private users names, emails, addresses, occupations, gender and age. This information was able to be accessed by third-party apps between 2015 and 2018. There was no evidence found that any of this information was misused, and Google is not able to confirm which particular users profile data was accessible or impacted. There was no evidence found that any third-party app developers were aware of this profile leakage and abused this.

In November 2018, a software update created another data breach within the Google+ API. The bug impacted 52.5 million users where, similarly to the past data breach, apps were able to access Google+ profiles without consent displaying name, email address, occupation and age. Apps were not able to access information relating to financial, national identification numbers or passwords. Google+ blog posts, messages and phone numbers also remained inaccessible if displayed as private information. Dissimilar to the last data breach, access was granted for six days before Google+ gained knowledge of the data leakage and was able to rectify the problem. Google+ found no evidence of misused data by third-party developers and consumers were Access was granted for six days before Google+ was able to rectify the problem, however they found no evidence of misuse and an announcement of the leakage was made to Google+ consumers.

News coverage
The publishing of ‘Google Exposed User Data, Feared Repercussions of Disclosing to Public’ by the Wall Street Journal on October 8, 2018 outlined the initial data breach, describing how Google+ had not originally disclosed the issue. They advised the public that the data breach had occurred between 2015 and 2018 through a leakage in the API software where third-party apps were able to access private information. There is no federal law that requires Google to inform their consumers of data breaches. Google+ originally did not want to disclose the information in fear of comparison to Facebook's data leakage and loss of consumer confidence. In response to the article, Google announced the permanent shut down of all consumer functionality in August 2019. After the second data leakage this date was accelerated and moved to April 2019.

Alongside the Wall Street Journal, considerable amounts of coverage was made on each data breach by newspapers around the world discussing consumer's privacy levels. On 8 October 2018, a Google Blog post described the first data leakage and the shutdown of Google+, written by Ben Smith, the Vice President of Engineering within Google. Following the second data breach, Google Blog posted an article written by the Vice President of Product Management, David Thacker, on December 10, 2018. This article indicated that Google+ APIs would be shutting down within the next 90 days and the acceleration of the closing of Google+. Both articles provide a detailed explanation of each data breach, the ramifications for Google+ and ensured consumers on the privacy and reliance on Google of consumer data.

Responses on Google+ and Google
In response to the data breach, enterprise consumers were notified of the impact of the bug and given instructions on how to save, download and delete their data prior to the Google+ shut down. The issues were analysed by Google's Privacy and Data Protection Office, finding that there was no misuse of consumer's profiles data. However, Google decided that Google+ was not being used in abundance as a social media network and hence the network should be shut down.

Immediate ramifications
Preparing for the Google+ social network, Google created a 10-month period for consumers to download and migrate their profile's data. Google+ users could save Google+ photos, videos, events, posts, circles and communities. Events created in Google+ and birthdays of relevant people in Google+ circles will be deleted off Google Calendar. Photos and videos backed up to Google Photos will not be deleted. Google+ widgets will no longer be available and have since been removed from all blogs. After the 10-month period consumer content will be deleted and Google will not save Google+ content apart from particular content needed for law, regulation, legal processes, legal obligations, or government requests. As the social network had a substantial number of consumers, the process of deleting this data will take a few months and is in progress. On 4 February 2019 consumers were no longer able to create new Google+ profile. Google shut down Google+ APIs on 7 March 2019 to ensure that developers do not remain reliant on these APIs prior to the Google+ shutdown. As of 2 April 2019, Collections and Circles still existed but are continually being phased out.

As of 7 March 2019, Google+ APIs have been shut down including REST API, Web API, Android SDK, Domains API and Pages API. Developers that used these Google+ APIs have removed these as otherwise their applications would break. Google has offered alternative APIs for these developers including Google Sign-In and Google People API.

Share Price Impact
Google is the principal entity owned by its parent company Alphabet Inc. After the data breach, Alphabet Inc share prices fell by 1% to $1,157.06 on 9 October 2018 after an earlier drop of $1,135.40 that morning being the lowest price since 5 July 2018. After the publication of The Wall Street Journal article, share prices dropped as low as 2.1% in two days on 10 October 2018. Share prices steadily increased from this point and were able to rectify this share price drop and meet the 8 October 2018 share price on 5 February 2019.

Rebuilding Google+
Google will rebuild Google+ as a corporate enterprise network. This network will be known as Google Currents and will be used by G suite consumers. The name has been recycled from the previous Google magazine platform, Google Currents, which is now known as Google News. The network will incorporate new features including 'tags'. Tags have been built for employees to be able to be involved in relevant organisation conversations if they follow a certain tag. Managers will be able to monitor conversations between employees, and interact through the social media network. Leaders posts will also be given priority within the business's posts and events and will be given more visibility across the network. This network will have differing security and privacy settings. Apps will require requested access to other Google platforms where only email functionality enhancing apps will be allowed after heightened security regulations. Google Play will now assess which apps can ask for permission to access the users SMS data; where only the default app for telephone distribution is able to make requests. Prior to the data breaches, apps were able to request access to all of a consumer's data simultaneously. Within the new privacy setting, each app will need to request individual permission for each aspect of a consumer's profile, and the consumer will have to grant this to create access. New posts will now only be accessed within the domain however this can be made Public. Profiles can no longer be publicly searched and discovered.