Google's parent has been hit with a lawsuit for failing to disclose to investors a bug – secretly fixed in March – that could have exposed half a million users' data.
Last week Google admitted that it had discovered and patched a bug in one of its Google+ People APIs that meant third-party apps could access profile fields including name, email, gender and age that weren't marked as public.
It estimated that some 438 third-party apps could have had access to the data of almost 500,000 users, but said a review had found "no evidence" developers had even noticed the bug.
The firm kept quiet about the glitch – it said its data protection officer found it did not reach various thresholds for disclosure – until The Wall Street Journal ran a story about it.
Although security researchers complained the newspaper had been "fear mongering", investors felt differently – the company's stock price fell $67.75 per share over the following two trading sessions.
Investor Adam Wicks has now launched a lawsuit against Alphabet in the Northern District of California for keeping schtum, which also names CEO Larry Page, Google CEO Sundar Pichai, and Google CFO Ruth Porat.
The complaint (PDF) asserts that the firm should have revealed the existence of the bug, and that execs "repeatedly made materially false and misleading statements regarding the security failure affecting users' personal data".
Google now minus Google Plus: Social mini-network faces axe in data leak bug dramaREAD MORE
Referencing comments made in the WSJ, the complaint alleged that Google had kept it quiet after an internal memo warned that disclosing the bug would trigger "immediate regulatory interest".
The filing also stated that making the bug public would have likely resulted in Pichai being hauled in front of US Congress – this would have been about the time Mark Zuckerberg was forced to make an appearance over the Facebook-Cambridge Analytica scandal.
The complaint centres on statements made in two 10-Q filings lodged with the Securities and Exchange Commission, on 23 April and 23 July, after the bug had been discovered.
These claimed there had been "no material changes" to risk factors – which Google acknowledged would include perceived or real security breaches – since the year ended 31 December 2017.
The complaint said these statements "were materially false and/or misleading" since there was no mention of the bug or the potential fallout.
In particular, the 10-Qs failed to disclose that "damage to the company's reputation and operating results and loss of customers from this failure of the company's security measures were imminent and inevitable".
Alphabet also failed to make investors aware that the company's security measures "had failed recently and massively"; that they had been breached "due to employee error, malfeasance, system errors or vulnerabilities"; and that security protections had not shielded personal user data.
"As a result of defendants' wrongful acts and omissions, and the precipitous decline in the market value of the company's common shares, plaintiff and other class members have suffered significant losses and damages," the suit alleged.
It also claimed that had members of the class – those who acquired common shares of Alphabet between 23 April 2018 and 7 October 2018 – been aware of the incident, they might not have purchased shares, or that the shares would have been at a lower price.
Page, Pichai and Porat were issued with a summons from the court yesterday and have 21 days to respond to the complaint.
A case management conference has been scheduled for 11 January 2019. ®
Sponsored: Webcast: Ransomware has gone nuclear