Legislation & Litigation , Standards, Regulations & Compliance

Plaintiffs Alleged Google Sought to Cover Up API Flaw That Exposed Private Data Mihir Bagwe (MihirBagwe) • February 7, 2024    

Silicon Valley giant Google agreed to settle for $350 million a shareholder lawsuit alleging it mislead investors by attempting to cover up a privacy flaw in now-defunct social network Google+ that resulted in outside applications having access to private profile information.

See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns

A Monday stipulation in federal court says Google must compensate shareholders of common and non-voting stock who bought shares between April 23, 2018, and Oct. 7, 2018.

Plaintiffs, led by the state of Rhode Island’s retirement system, alleged in a putative class action that Google had sought to sidestep regulatory fallout after discovering in March 2018 a glitch dating to 2015 in the Google+ API that allowed outside developers to access users’ private profile data. A Google investigation found that up to 438 third-party apps likely had access to the API.

The Wall Street Journal reported in October 2018 that the company had decided not to notify users out of fear from being sucked into the same privacy maelstrom that engulfed Facebook in the wake of the Cambridge Analytica scandal. Plaintiffs filed in court days after the article was published.

The settlement does not require Google to admit liability. The complaint asserts that Google CEO Sundar Pichai learned about the bug in April 2018 and received a briefing about the plan to keep it hidden for outsiders. Third-party apps had access to data including photos, relationship status, email and home addresses.

Google executives concealed that the company had “such poor security controls and record keeping that they could not determine the scope of the data breach, identify all of the affected users, detect other data-security bugs, or protect the private personal data of the tens of millions of Google+ users,” the plaintiffs said in an amended complaint filed in the U.S. District Court of the Northern District of California in April 2019.

Google terminated Google+ for individual consumers on the same day The Wall Street Journal article ran. It shut down the social network in early 2019.

The company argued in court – and in public – that it had found no evidence that any third-party developer was aware of the bug or had abused the Google+ API. It also contested whether plaintiffs had suffered any harm and said that drops in the stock price in the three days following the Journal article had not been statistically significant relative to the overall market.

Google in the settlement agreement, which still requires approval by a federal judge and is subject to privately filed objections, maintained it had “meritorious defenses to the claims.” It said it was settling after concluding that “further litigation could be protracted, burdensome, expensive, and distracting.”