The amount of users affected by this breach is estimated at nearly half a million. Sputnik has discussed the issue with Fow Chee Kang, associate director and cyber security managing consultant at LGMS.
Sputnik: What do you think about the fact that Google knew about these holes and this access to personal data and didn’t say anything to the public?
Fow Chee Kang: The things that come into my mind are revenue and reputational damage to the company;
Because when there’s anything related to user privacy or information leakage, they will be placed under the global highlight which would make them look very bad in the market. This has been proven in previous cases.
Fow Chee Kang: I will agree on that. But it seems like they’re walking on knife where they just want to buy on luck in this case, until they were exposed and in this case right now it’s been all over the news.
Sputnik: This is Google which everybody thinks of as the apex of search engines and tech companies, and here they are with this hole in data and it was allowing all of this information to be leaked. There are possibly half a million people that were affected by this; are there any legal ramifications for not reporting such things? We really don’t have much information on that; this tech stuff and private information is a new territory, and there doesn’t seem to be much legal support to understand who is responsible for this and if anybody should have to pay a fine or take responsibility for it? What does the law say regarding this? Can Google get sued?
Fow Chee Kang: This happened back in 2015, but if you talk about the regulatory requirements in the US, I’m afraid I might not be able to comment on that.
In terms of the release from the GDPR it has some requirements that say that if you are having these kinds of security vulnerabilities or bugs you must disclose it within 72 hours. This breach failed to comply to it. This was only compliance requirement so in this case I’m still not sure if this applies to them. But this is one of the things they may want to look into.
Fow Chee Kang: That was new. So that’s why if that happened back in 2015 you can see the gaps. So should they comply or not comply; either consider to comply or not to comply in this case. This is the gap they might need to think of.
Sputnik: The thing is that when I hear that Google did this I start to wonder about some smaller companies who have much less resources; and if the minds that are employed by Google didn’t find this, how often would similar things happen throughout the tech industry that we never know about? Do you think that we should be concerned that a lot of companies or platforms that we frequent are having problems where we never even knew about it but our information was leaked and once that’s leaked that basically can’t be taken back?
Fow Chee Kang: I would think that there are many companies out there that do have similar cases where their applications aren’t secure or they’re having some user data leaking but they aren’t reporting it.
This is something that we need to find out whether these companies are doing any kind of testing or whether there is anything that they’re putting in reference to their security or not.
The reason of why similar cases keep happening is due to the process of how the company converts the value of its assets. When the asset doesn’t bring much income to the company it gets less attention or less investment in terms of security. This trend is true. As you say there are many small companies out there, if this happens they just decide not to disclose or expose.
Fow Chee Kang: If you take a look at Google Plus and compare it to Facebook or Twitter, and if you ask the public on the street what social media they’re using most probably they would say Facebook or Twitter but not Google Plus.
I think the thing is that Google Plus isn’t making revenue for them and they decided that the public shouldn’t use it. Instead they are deciding to opt for businesses to use it only.
Views and opinions expressed in this article are those of Fow Chee Kang and do not necessarily reflect those of Sputnik.
The views and opinions expressed in the article do not necessarily reflect those of Sputnik.