Should I be concerned?

[CheddarFingers]

With recent light on Google withholding details of the data leak of Google+ user data for 6 months on (when weighed against others) a lightly used social media solution, is this indicative of the corporate culture within Google's decision making? Should I be concerned that Google would be even more tight lipped on data breaches within the Android ecosystem which would have even greater impacts to their brand?

It's stuff like this that makes me look towards the walled garden.

 

[Mooncatt]

It's standard practice to not immediately announce a data breach. The standard operating procedure is to first close whatever back door was used to gain unauthorized access and assess the damage. This will obviously take a fair bit of time. If they announce it before they fix the problem, it's a huge risk. Not only will the attacker know the company is on to them and try to grab everything before the fix, but it'll tempt other hackers to using the same method and likewise result in even more stolen data.

So no, it doesn't bother me when companies, any company, announces they had a data breach months ago. Well, beyond the frustration that it happened at all, of course.

 

[CheddarFingers]

Thank you Mooncatt for a well thought out response. In this case thou, it wasn't Google that disclosed the data breach, but rather the Wall Street Journal via leaked memos from Google executives that wanted to keep a lid on the breach fearing external scrutiny. Once the WSJ published the article, did Google issue a statement to shutdown G+. The WSJ also has a policy to inform parties of articles they are writing about giving notice and an opportunity to weigh in. I find the whole thing lacks general trust and maybe my trust has been misplaced.

Earlier this year, Spectre and Meltdown was prematurely leaked by Google after an agreement not to do so with multiple vendors close to the situation. Google's disclosure was harrowed as a voice of security and champion of the people. When in fact their decision actually forced the immediate service cascade outages of hundred of thousands of cloud services across AWS, Azure, and plenty of others. I know because I got the 3am phone call and had to scramble to figure out why Amazon and Microsoft were disrupting my inventory production lines. Only to find out that months of crafting change controls and sign-offs in prep for the fixes, was curtailed by Google's desire to stick it to others.

Yet, internally to Google, they decide to hide their data breaches. Not cool and rise for concern.