Google LLC's delay in disclosing a recent security glitch raised questions likely to draw government scrutiny and could have a lasting impact on the firm's image, analysts and brand experts said.
Alphabet Inc.'s Google unit said in an Oct. 8 blog post it is shutting down its Google+ social network following a disclosure that a bug shared the data of hundreds of thousands of users on the platform. The company said it discovered and fixed the vulnerability in March, but chose not to alert the public at that time since there was no evidence that any of the exposed profile data was misused and no way to accurately identify which users were impacted.
The announcement closely followed a report by The Wall Street Journal that said the glitch gave outside developers potential access to private user data — including names, email addresses, occupation, gender and age — between 2015 and March of 2018. Citing unnamed sources and internal documents, the Journal report said Google chose not to disclose the bug for fear that it would trigger increased regulatory interest and draw comparisons to Facebook's widespread data scandal involving the now-defunct data analytics firm Cambridge Analytica LLC.
In addition to closing Google+, which the company also said had poor engagement and was expensive to maintain, Google unveiled new privacy controls, including adding more granular Google Account permissions for consumers and limiting the apps that can seek permission to access users' Android smartphones or Gmail data.
Google's decision to not immediately disclose the bug could invite a probe from the U.S. Federal Trade Commission. A handful of senators have already urged the agency to investigate the incident.
Sen. Richard Blumenthal, a Democrat from Connecticut, who serves as ranking member on the Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, sent a letter to the FTC asking for an investigation into Google's decision against disclosure. The letter was also signed by Sen. Edward Markey, D-Mass., and Sen. Tom Udall, D-N.M.
In a statement provided to S&P Global Market Intelligence, FTC Chairman Joseph Simons said the agency "does not comment on specific incidents or companies." He added: "When we see a significant breach that puts consumers' private data at risk, you can be assured that we will be looking into it. We are committed to holding companies accountable if their practices violate the law."
If the FTC does investigate, it would not be the first agency probe into Google's business.
In 2011, for instance, Google agreed to settle FTC charges that it enrolled unsuspecting Gmail users in Google Buzz during 2010. Google Buzz — which was shut down in the fall of 2011, shortly after the debut of Google+ — was a social networking, microblogging and messaging tool developed by Google that was integrated into Gmail. A year later in a separate incident, Google agreed to pay a $22.5 million civil penalty to resolve claims that the company placed cookies on Safari browsers when it said it would not do so.
Google has faced political pressure to comment on its business practices this year in the wake of other high-profile data breaches. The company was noticeably missing from a September congressional hearing that featured Facebook Inc. COO Sheryl Sandberg and Twitter Inc. CEO Jack Dorsey. The Senate Intelligence Committee had requested Alphabet CEO Larry Page or Google CEO Sundar Pichai to testify, but both reportedly declined.
Pichai is expected to testify at a House Judiciary Committee hearing in November, where he is expected to receive ample grilling from lawmakers.
Google's efforts to downplay its security breach raise larger concerns about the company's commitment to privacy than about the actual event, said Gene Munster, managing partner at venture capital firm Loup Ventures.
"The cover-up was bigger than the crime," Munster said in an interview, adding that Google must play a more "active role" in protecting its users' data.
Munster suggested that the tech industry work to create "common ground" for how data breaches are disclosed in the future. Doing so, Munster said, would prevent minor breaches from getting blown out of proportion and would discourage companies from covering up significant data problems.
Branding expert Rob Frankel said in an interview that Google's public perception is more vulnerable to backlash following events like the recent breach because the company has not put enough resources into an overall branding strategy.
"All Google has is a name and product and a service, which means they have never formalized or codified any means by which the public can perceive them in the manner in which they wish to be perceived," Frankel said. "When you don't create your own brand strategy, the public creates it for you."
Google parent Alphabet's stock had fallen nearly 10% for the month-to-date as of Oct. 10 amid a broader technology stock rout.