Google Photos Leak Poses Enterprise Threats

A recent Google Photos data leak underscores the fact that any company is subject to technical issues, software glitches and employee mistakes.

Some users were surprised to learn that despite proactively taking strong security measures across its product lines, Google slips up too. Most recently, the search giant managed to make errors in Google Photos where it exported some user videos to other, unrelated users’ archives for no apparent reason. While this mishap may inconvenience or even embarrass some affected users, there is additional threat potential for affected businesses as well.

Inkscreen’s Josh Bohls

“Every day, businesses and public-sector organizations capture photos, audio, video, scanned documents and mixed media content gathered on mobile devices to conduct business — much of it captured on employee devices with little or no organizational governance over content or security and compliance protections,” said Josh Bohls, Founder at Inkscreen, an enterprise mobile content management provider.

“Google’s lapse in sending individuals’ photos to other users sheds new light on this lack of protection and perilous compliance risk,” Bohls added.

Google said the problem sprang from a technical issue that affected the “Download your data” export service in Google Photos from Nov. 21-25. The tech giant informed users who had requested the service during that time that the resulting download may have been “incomplete” but also likely contained “videos that are not yours.” The suggested actions to take was to delete the previously downloaded data and download the content again.

The company said that less than 0.01% of Photos users were affected and none of Google’s other products was affected.

MSSPs should strongly consider providing the means to protect enterprise image data taken or stored on employee privately owned phones as strongly as other apps and data are. To grasp both the opportunity and the dangers, it’s important for MSSPs to fully understand the security risks visual data uniquely poses to a variety of businesses.

“Whether the content is captured by insurance adjusters, health care professionals, critical infrastructure administrators, financial services liaisons or any number of similar professionals while performing routine line-of-business activities, the fact is that such potentially sensitive content could easily be inadvertently released in this Google privacy breach … or another breach down the road,” said Bohls.

“IT, security, compliance and C-suite executives – whether with law firms, health care providers, insurance companies, or other regulated industries – need to wake up to this problem, evaluate secure content capture solutions for mobile users, and better protect and manage this content,” Bohls added.

Panorays’ Elad Shapira

While users should demand better security from companies like Google, it’s important to realize that given the complexities of businesses today, leaks will continue to happen as often through human error as technical vulnerabilities.

Take for example, an incident in December, when consulting firm IMGE accidentally exposed the names, phone numbers, home and email addresses of more than 6,000 Boeing staff. In that data snafu, too, an enterprise and its employees were exposed because of a third-party cloud misconfiguration.

“To help deter such data leaks, organizations must thoroughly assess and continuously monitor the security of their third parties and to be vigilant about how data is stored,” said Elad Shapira, Head of Research at Panorays.