Irish data watchdog to request information from Google about social network security bug

  • The Irish Data Protection Commission said it was “not aware” of the security glitch and would reach out to Google to enable it to better comprehend the situation.
  • Google currently doesn’t have a lead supervisory authority EU-wide that looks into individual cases.
  • The security flaw took place prior to the implementation of the EU's new privacy law, GDPR.
Google Plus
Adam Berry | Getty Images

Ireland's data protection regulator will ask Google to provide more information about a security glitch that compromised the data of 500,000 users, a spokesman told CNBC Tuesday.

On Monday evening, the tech giant disclosed publicly that its social media platform, Google Plus, had experienced a "bug" that gave developers to a user's information, including their name, email, address, occupation, gender and age. However, it said it found "no evidence" that any developer was aware of that glitch or that any profile data had been misused.

The Irish Data Protection Commission said it was "not aware" of the security glitch and would reach out to Google to enable it to better comprehend the situation.

"The DPC was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google," the spokesman told CNBC by email.

Google currently doesn't have a lead supervisory authority EU-wide that looks into individual cases. Any regulator can contact the company about potential breaches of EU law.

The security flaw took place prior to the implementation of the EU's new privacy law, the General Data Protection Regulation (GDPR). As a result, Google will unlikely be targeted with the consequences of breaking that law, which include fines of either 20 million euros ($22.9 million) or 4 percent of annual global revenues — whichever is larger.

"Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance," a Google spokesperson told CNBC via email on Tuesday.

"The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers' expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+," the spokesperson added.

According to The Wall Street Journal, which broke news of the incident Monday, Google chose not to disclose the issue publicly at the time of discovering and patching the bug. This was done out of fear of a regulatory backlash and damage to its reputation, the newspaper reported, citing unnamed sources and documents.

The company said later that day that it would shut down Google+ for consumers as a result of the glitch for a 10-month period. It downplayed fears of the data bug being far-reaching, saying that there is "low usage and engagement" on the platform and that 90 percent of users spend just five seconds on it per session.

The announcement arrives as Google and other U.S. tech giants face regulatory scrutiny over the misuse of data on their platforms and concerns that social media was exploited by foreign actors to influence elections.

It is much smaller in scale to a scandal involving Facebook and political consultancy Cambridge Analytica earlier this year. Facebook admitted that the information of 87 million profiles had been improperly accessed by the data analytics firm.

Meanwhile, Twitter said last month that its platform experienced a bug that allowed third-party developers access to the private messages of users. The company said the security issue had been patched.