Google is shutting down the consumer version of its Google Plus networking service, which never captured its target market the way creators envisioned, after a bug this spring that exposed user profile data.
The vulnerability, discovered during the company's "Project Strobe" review of third-party access to data, was disclosed Monday amid growing federal government scrutiny of how technology companies employ and protect the data they gather on their users. Google's decision not to inform users of the discovery earlier is likely to draw increased attention now, said Scott Kessler, an analyst with CFRA Research.
Representatives of the company and social media platforms Facebook and Twitter have all been questioned by Congress this year about increasingly sophisticated cyber-attacks and what issues should be addressed in a possible federal security standard.
Mountain View, Calif.-based Google conceded that app developers were given access to Gmail accounts when users consented, and Facebook disclosed separate incidents that breached nearly 140 million accounts.
The bug that the search-engine operator reported on Monday allowed access to private portions of 500,000 Google Plus profiles that accountholders shared with developers. Exposure was limited to optional fields such as name, e-mail address, occupation, gender and age, Ben Smith, the company's vice president for engineering, said in a company blog post.
A detailed analysis before the bug was patched in March found no indications that any developer had discovered the vulnerability or that profile data was misused, Smith said.
"Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice," Smith said.
The company's privacy unit "reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response," he added. "None of these thresholds were met."
Google Plus allowed users to form online communities, sharing photos, videos and content, but found more success as a so-called enterprise service for companies that contracted the technology giant to handle portions of their information-technology needs. The consumer product will be shut down over a 10-month period, the company said.
Google slid 1 percent to $1,155.92 in New York trading on Monday, paring its gain over the past year to 16 percent.
Breaches of such services raise "the profile of possible legislation," Justin Antonipellai, the founder of data-protection firm WireWheel and an acting undersecretary for economic affairs in former President Barack Obama's Commerce Department, told the Washington Examiner.
Last year, credit bureau Equifax was lambasted in Congress when it waited months to disclose that hackers had stolen personal identification data for 145 million people, nearly half the population of the U.S.
And Facebook's quick disclosure of a security breach in September, which gave advanced hackers access to the accounts of 50 million users, shows that more companies are recognizing the need to inform users immediately so they can protect themselves and their information, Adam Levin, the founder of identity-protection firm CyberScout and a former director of the New Jersey Division of Consumer Affairs, told the Examiner.
Corporate executives realize they're operating in a world where breaches have become a business certainty and "organizations will be held more and more to account," Levin said.