The Chairmen of the US Senate's Consumer Protection, Internet, and Commerce Subcommittees sent a letter to Google's CEO, Sundar Pichai, asking for a copy of an internal memo regarding the Google+ security breach.
The senators who sent the letter (.PDF) are John Thune, Chairman of the Senate's Committee on Commerce, Science, and Transportation, Jerry Moran, Chairman of the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, and Roger F. Wicker, Chairman of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet.
As reported by The Wall Street Journal, an internal memo from Google’s legal and policy staff and sent to all senior executives warned that a possible disclosure of the security incident would lead to "immediate regulatory interest."
Furthermore, the internal communication stated that in the case of a disclosure Google would most certainly be "coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal."
Because of the internal memo unveiled by The Wall Street Journal, the three senators behind the letter sent to Pichai want to get a copy until October 30, with an extra requirement of receiving a written response to seven questions regarding the Google+ security breach.
The internal memo leaked by The Wall Street Journal expressed fear of "regulatory interest" and a comparison to the Cambridge Analytica scandal
According to the letter, "At the same time that Facebook was learning the important lesson that tech firms must be forthright with the public about privacy issues, Google apparently elected to withhold information about a relevant vulnerability for fear of public scrutiny."
The Google+ breach and subsequent shut down was caused by a People API bug Google found out about in March 2018, but exploitable between 2015 and March 2018.
Moreover, the bug exposed personal information like name, e-mail addresses, employers/organizations, occupation, places lived, birthday, age, and gender (as well as other less sensitive info) of around 500,000 profiles.
Google, however, decided that disclosing the incident is not needed because they "found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused."
"We are especially disappointed given that Google’s chief privacy officer before the Senate Commerce Committee on the issue of privacy on September 26, 2018 — just two weeks ago — and did not take the opportunity to provide information regarding this very relevant issue to the Committee," the three senators' letter also states.