Google’s failure to notify their customers of a data breach could land them in hot water in Australia with the Office of the Australian Information Commissioner (OAIC) looking into the breach.
According to The Australian, the Office will be seeking to find out the depth of the breach and how many of the 496,951 users affected by the breach were Australian.
News of the data breach surfaced on Monday morning in a report from the Wall Street Journal claiming that Google uncovered a breach of data within their social network Google+ earlier this year which exposed user data which included ‘full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status; it didn’t include phone numbers, email messages, timeline posts, direct messages or any other type of communication data’.
The breach was through a loophole in an API, which potentially gave third-party apps access to profile fields that were shared with the user but not marked as public. Google said that the data was potentially available between 2015 and March 2018 when it was patched.
Chris Griffith at The Australian points out that ‘the discovery of the breach occurred after the Notifiable Data Breaches (NDB) scheme began in late February’ meaning that the discovery and what the WSJ claims is a coverup, occurred after the program was put in place.
Under the NBD any company who is subject to a data breach, is required to notify both users, and the OAIC of the breach, ‘where there is a likelihood of serious harm to any of the individuals whose personal information is involved in a data breach’.
Even though the potential was there, Google claims that no data was actually accessed saying ‘We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused’. So, whether there is a ‘likelihood of serious harm’ is subjective and something the OAIC will have to determine.
In a statement to The Australian, the Office would be seeking information on which Australian users’ profiles were exposed
The OAIC is aware of reports about a security issue affecting Google+ user accounts. Google’s public statements state that it has found no evidence that any user profile data has been misused. However, the OAIC will be seeking further information from Google about the incident, including whether Australian users of Google+ were affected.
This was a vulnerability. There’s no evidence of a data breach so it’s not correct to use that term until there is. The WSJ incorrectly used that term too but they have since amended their headline.