Google is shutting down its Google+ social network after it covered up a gaping security hole that exposed the personal data of half a million internet users.
Up to 500,000 people may have been affected by the flaw, which allowed hundreds of apps to access data including people’s jobs, ages and location information. There is no suggestion that any credit card or bank information was exposed, but exposing private information about individuals can make them more vulnerable to fraud.
Google discovered the vulnerability in March but failed to reveal it until Monday night, after reports emerged that it had kept quiet due to fears the bug would draw scrutiny from politicians and regulators.
An email shared among senior Google executives and lawyers said that revealing the issue would lead to “immediate regulatory interest” and mean its chief executive Sundar Pichai being forced to give evidence in Washington.
On Monday, the company announced that it was shutting down its social network, Google+, which was the source of the flaw. It will take 10 months to completely close the service, and a version for businesses will remain open.
Users’ details were exposed due to an error in a feature that allowed people to link their Google+ profile with other applications. The error allowed the details of almost 500,000 people to be accessed by the applications, even when they had demanded that they keep their data private. Google said up to 438 external applications, such as online games or quizzes, could have exploited the flaw.
Millions of Britons are believed to have Google+ accounts, since profiles are automatically created when users set up a Gmail email account.
However, the company said it could not identify which individuals had been exposed to the flaw, since it automatically deleted data about which apps access users’ profiles every two weeks. As a result, it will be unable to alert users that may have been affected.
The flaw was similar to the way in which the British data firm Cambridge Analytica accessed the information of millions of Facebook users.
Emails between Google executives, seen by the Wall Street Journal, showed that the company had stayed quiet about the error when it was discovered in March, fearing that revealing it would invite comparisons to the Facebook scandal.
A Google memo said that revealing the flaw would mean it “coming into the spotlight alongside or even instead of Facebook, despite having stayed under the radar throughout the Cambridge Analytica scandal”.
Google said it had not revealed the problem because it had no evidence that any application developer had found the vulnerability, or that it had been misused.
However, it said it had decided to shut Google+, a website it launched in 2011 in an attempt to challenge the rise of Facebook. The social network has been widely perceived as a failure and Google said the majority of users use it for less than five seconds, suggesting they largely stumble upon it by mistake.
However, Google+ profiles often have a significant amount of personal data about people because the service is linked to other Google services such as email. It said people’s email addresses may have been exposed by the flaw but that the contents of emails had not been.
Failing to come clean about the security flaw is unlikely to lead to a large fine under new European data legislation, because the company discovered and fixed the problem in March, before the GDPR law came into effect.
Google is already under pressure over plans to censor its search engine in China, where the company has been blocked for several years.