Is the Recent Chinese Google Hack the most Serious Privacy Breach of the Year?

Thursday, January 21, 2010

Brent Carey

Last week Google announced that it was the victim of a hack in China. Word of the attack spread quickly and the German, French and Australian governments issued warnings about using internet Explorer.

I'm amazed that this incident has not received more commentary from the privacy and security communities. Is this not   the most serious data privacy breach in a search engine’s history?

Last week Goggle announced that two gmail accounts have been accessed and at least 20 corporate companies online infrastructure targeted by Chinese hackers.  The attack has led to the company querying whether it should continue to operate in China.

One of the underlying messages in Google’s announcement has been whether China can be trusted with the internet. This has quickly been picked up by the media who has shifted the attention away from Google and on to China.

But as a Google User I find myself in the past few days  querying Google’s privacy credentials and asking whether we can trust Google?

In many of its product choices Google has always encouraged a more “open” way of sharing information. Sometimes this openness and freedom of expressin has come at the expense of traditional notions of privacy. Think Google Maps and Google Streetview.

But in the area of email accounts, Google’s default settings have always been about ensuring security and privacy. That’s how email works.

As a result of this guarantee hundreds of millions of users, like me, routinely do things via Gmail.

Foundational to the trust in which I use my Gmail account, is Google’s ability to protect the personal information in my emails from unlawful third party access.

It is still unclear what personal information the hackers have. Google have not given the public full view of the incident and its privacy implications.

Google has been quick to define the issue in terms of an Intellectual Property matter.   In so doing they have escaped from having to call the hack a data protection or privacy issue.

I'm not sure that an internet user reading Google’s description of the hack would get the right idea or understand the significance of what really happened.

Two gmail accounts can hold an abundence of personal information. Obvious is the information about the individual account holder. But not so obvious is the information on the sender of the email and any third parties who might be named in the subject line.

The hack has potentially breached hundreds, maybe thousands, of individuals’ right to privacy.

I haven't discovered yet a single article that describes the Google hack for what is;  an ugly, exposed data privacy breach which has the potential to undermine Google’s customers trust in it’s ability to protect privacy.

The bottom line is Google has lost personal information from user’s email accounts. That's the most valuable thing they have!

Because this is a serious data breach those individuals affected by the data breach should be given more information about what has happened. Isn’t the intention of US data breach laws that those affected by a privacy breach have a right to know,  presuming, of course  that the servers that were hacked were located on US soil? 

Apart from its initial press release, where is the data breach notifications from Google?

In the short term Google has posted information about the hack to their blog. But I don't think this is adequate data breach notice.

And will the 20 companies who have lost personal information also be coming forward to tell affected individuals what has happened to their privacy?

Google may have come clean about the hack but they should be saying more about its data privacy breach.
Possibly Related Articles:
Cloud Security Network Access Control Breaches Privacy Webappsec->General
Google Privacy China
Post Rating I Like this!
Anthony M. Freed I sure brings into uncharted territory, raising issues of cyber warfare and defense, as well as economic espionage.

It is difficult to imagine there would be any resolution to many of the security problems we face in the cyber age, as the alternatives to a free and accessible internet may worse than the risk confrontation.

Thanks Brent!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.