The announcement came in a Monday blog post , which marked Google’s first public description of the privacy bug.
Google deliberately avoided disclosing the problem at the time, in part to avoid drawing regulatory scrutiny and damaging its reputation, according to a Wall Street Journal story that cited anonymous individuals and documents.
The Mountain View, California, company declined to comment on the Journal’s report, and didn’t fully explain in its blog post why it held off on revealing the bug until Monday.
The Google Plus flaw could have allowed up to 438 external apps to scoop up user names, email addresses, occupations, genders and ages without authorization. The company didn’t find any evidence that any of the personal information affected by the Plus breach was misused.
The timeline laid out by Google indicates the company discovered the privacy lapse around the same time that Facebook was under fire for a leak in its far more popular social network. Facebooks’ breakdown exposed the personal information of as many as 87 million of its users to Cambridge Analytica, a data mining firm affiliated with President Donald Trump’s 2016 campaign.
Congress summoned CEO Facebook CEO Mark Zuckerberg to be grilled about his company’s privacy issues in April.
Google CEO Sundar Pichai recently declined to an invitation to travel to Washington to testify before the Senate about foreign governments’ manipulation of online services to sway U.S. political elections. His absence incensed some lawmakers, who left an empty chair for Google alongside the Twitter and Facebook executives who appeared before the Senate committee in September.
“With this breach announcement, the empty seat bearing Google’s name just became a lot hotter,” said Mike Chapple, an associate professor of information technology, analytics and operations at the University of Notre Dame.
Pichai went to Washington to mend political fences with lawmakers in late September and agreed to participate in a White House roundtable on technology that President Trump intends to attend. He also will appear in House hearings after the midterm elections in November.
Google has a strong incentive to position itself as a trustworthy guardian of personal information because, like Facebook, its financial success hinges on its success to learn about the interests, habits and location of its users in order to sell targeted ads.
The desire to peer into people’s lives is one of the reasons that Google launched Plus in 2011. It was supposed to be a challenger to Facebook’s social network, which now has more than 2 billion users. But Plus flopped and quickly turned into a digital ghost town, prompting Google to start de-emphasizing it several years ago.
But the company kept it open long enough to cause an embarrassing privacy gaffe that could give Congress an excuse to enact tighter controls on data collection.
“Every data mishap strengthens the bipartisan case for Congress to take action on data protection,” said Jonathan Mayer, an assistant professor at Princeton University who formerly worked in the Federal Communications Commission’s enforcement bureau.
Europe began to impose tougher online privacy regulations in May. Those rules also include disclosure requirements for data breaches. Those rules don’t apply to the Plus problem because Google discovered it before they took effect.