Almost a month after announcing them in a blog post, Google has sent an email to users informing them of two potential data breaches.
Critics are asking why the search giant waited until now to inform account holders of the exposure of Google+ data.
“The only problem with this,” writes Digital Information World, “is that the data breach occurred all the way back in October, and the users received this email on the 3rd of January.
Google’s email states that it discovered the breaches in November.
It is unlikely that Google users were unaware of the breach, given the widespread publicity it received. However, the GDPR requires immediate notification of victims when data has been leaked.
The email starts as follows:
Dear Google User,
We are writing to inform you of a technical issue caused by a software update, which affected Google+ APIs (Application Programming Interfaces) between November7th, 2018 and November 13th, 2018 PT when the issue was fixed. We have determined that the technical issue was limited to Google+ APIs that return profile information about users and results in two potential unintended effects.
If you granted an app permission to view your profile information, such as name, email address, and occupation, the app was able to request and view more profile fields than you granted the app permission to view.
If a person with whom you had shared profile information granted an app permission to view your public profile, that app was able to request and view your public profile fields that you had shared with that person but not share publicly.
Google has shut down Google+ in reaction to the incidents.
The email continues: “This issue was limited to profile fields and did not give developers access to information such as financial data, national identification numbers, passwords or similar data typically used or fraud or identity theft.”
It adds: “The issue was detected by our automated testing and fixed on November 13 2018 PT. We have no evidence that the app developers who inadvertently had this access for six days were aware of it or misused it in any way.”
Meanwhile, Google is facing litigation over data episodes. Rhode Island filed a suit last month, alleging that Alphabet Inc., parent company of Google, misled shareholders and regulators by not disclosing the breaches, NBC 10 News reported.