Attacks/Breaches
1/12/2010
06:36 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Apologizes For Local Data Breach

Google Local Business Center customers received analytics data belonging to others.

Several thousand users of Google's Local Business Center (LBC) were recently surprised to find that they had received confidential LBC analytics information from other LBC users.

Google sends out a monthly newsletter to its LBC users that includes product news and Web traffic statistics related to users' business search listings. As a result of an employee's mistake, several thousand newsletter recipients received statistics for other people's businesses.

No sensitive personal information was disclosed, a Google spokesperson said. Exposed data consisted of the number of times the account owner's LBC listing appeared in Google local search results, the number of times searchers clicked on the listing and the associated Web site, and the number of clicks seeking further information and driving directions.

"Shortly after sending the newsletter to a small portion of our users (less than 1%), we discovered that some e-mails included incorrect business listing information," a Google spokesperson said in an e-mailed statement. We promptly stopped sending any further e-mails and investigated the cause, which we found to be a human error while pulling together the newsletter content. We'd like to apologize to all the business owners affected and assure all our users that we're working hard to ensure that nothing similar will happen again. Those affected should have all received a corrected e-mail."

Google LBC users like David Dalka, a business development and online marketing strategy strategy consultant, reported receiving one of the errant e-mail messages and suggested that the incident could harm users' trust of Google. "If the Google Local Business Results were sent to many people, this could likely be as serious as the AOL data breach," he wrote.

AOL's 2006 breach exposed about 20 million search terms and phrases used by 658,000 of its subscribers, so it's not that serious, but it's nonetheless embarrassing and something that Google doesn't want to repeat. The company is exploring ways to automate its newsletter to remove the potential for mistakes of this sort.

Last September, Google was sued by Wyoming-based Rocky Mountain Bank because of human error. A bank employee sent a Gmail message with confidential information to an unintended recipient. The bank then filed a lawsuit, which it later dropped, to force Google to the identify of the Gmail user who had received its information.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.