Google agrees to $350 million settlement over data leak
Google will pay $350 million to settle a long-running class action lawsuit focused on how a security glitch in its now defunct Google Plus social media platform exposed millions of its users’ data to outside developers.
In December, the tech giant also settled a lawsuit filed by Chrome users who were tracked online while in incognito mode, a feature which purports to shield users from such tracking.
Under the terms of Monday’s settlement, Google denied that plaintiffs suffered damages resulting from the episode, saying that while it has “meritorious defenses to the claims alleged,” it has decided to resolve the lawsuit to avoid costly and distracting continued litigation. Google also denies that it misled investors, the settlement terms say.
The Google Plus lawsuit dates to October 2018 when news reports revealed that Google discovered users' personal data had been exposed for years yet remained silent about the episode. In October, The Wall Street Journal reported that officials within the company recommended not alerting shareholders or the public to the issue. The Journal’s report said Google officials had known of the problem for months but said nothing.
Three days after the Journal report was published the lawsuit was filed.
According to the Journal’s 2018 reporting, the software problem exposing Google Plus users’ data began in 2015 and wasn’t found or remediated until March 2018. The Journal reported that a memo it reviewed from Google’s legal and policy staff advised senior executives that making the episode public would likely spark “immediate regulatory interest.”
Chief Executive Officer Sundar Pichai was reportedly told about the plan not to alert users. The newspaper also reported that exposed profile data included “full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.”
In a Tuesday statement, Google highlighted that the security lapse in question involves a product it no longer offers.
"We regularly identify and fix software issues, disclose information about them, and take these issues seriously,” José Castañeda, a spokesperson for Google said in a statement. “This matter concerns a product that no longer exists and we are pleased to have it resolved.” -
The settlement was agreed to in October but did not become public until Monday.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.