Computer users hit Google with federal class action over possible data breach

(CN) In the latest fallout over yet another Silicon Valley privacy scandal, computer users hit Google and its parent company Alphabet with a federal class action Monday night for potentially exposing the data of up to 500,000 users of Google Plus to outside parties.

Google announced in a blog post Monday morning that it would discontinue its largely unsuccessful Google Plus social network for non-business users after it discovered a software glitch made user data accessible to outsiders from 2015 to March 2018.

The bug gave third-party app developers access to names, email addresses, occupations, birthdates, and other information that is “highly valuable to identity thieves,” according to the complaint.

According to the plaintiffs, Google decided not to warn users about the data leak for at least seven months for fear it would attract scrutiny from regulators at a time when Facebook was facing hard questions about its own Cambridge Analytica privacy scandal.

“Incredibly, defendants chose to protect themselves from potential ‘regulatory interest’ rather than protect the personal information of its users and advise them that their personal information had been exposed in a massive leak of information to unauthorized third parties,” the 28-page complaint states.

Google said in a blog post that it could not identify which user accounts were compromised and that it worked to immediately fix the bug after discovering it in March 2018. Up to 438 outside app developers had access to the user data, according to Google.

“We found no evidence that any developer was aware of this bug, or abusing the [application programming interface], and we found no evidence that any profile data was misused,” the company said in its blog post.

Google also announced it will shut down the Google Plus service for regular consumers within the next 10 months. Launched in June 2011, Google Plus intended to rival popular social media networks like Facebook and LinkedIn, but it never gained popularity on the same scale. Google Plus allows users to create profiles and add other users as connections, or friends, to various circles, or networks. Google said the service currently has “low engagement” with 90 percent of user sessions lasting less than five seconds.

However, the company said it will maintain and build upon the service for business customers, who use Google Plus to communicate with co-workers through an ostensibly secure network.

Lead plaintiffs Matt Matic and Zak Harris, of California, claim that because the vulnerability existed for three years and Google only surveyed the scope of the data leak for two weeks in March 2018, “the number of compromised users is expected to be much higher” than 500,000.

The plaintiffs allege violations of California business and customer records laws, negligence and invasion of privacy. They seek class certification, an injunction, damages, restitution and disgorgement.

They are represented by Joshua Watson of the Clayeo C. Arnold law firm in Sacramento.

Watson also represents a proposed class in another suit filed less than two weeks ago over a Facebook software vulnerability that compromised 50 million user accounts.

The lawsuit comes toward the end of a year chock full of data privacy scandals for Silicon Valley companies.  Facebook has been hit with lawsuits over the Cambridge Analytica scandal that affected 87 million user accounts, its sharing of private user data with device makers, and its alleged collection of Android phone users’ data without consent.

Google was also sued earlier this year for allegedly tracking users’ locations through its Android operating system without their permission.

Google’s press team did not immediately respond to an email seeking comment Tuesday morning.