Leaked Google database reveals its secret privacy and security failures

The company confirmed to Engadget the authenticity of the data, acquired by 404 Media.


A collection of leaked internal Google privacy cases provides a rare glimpse into the company’s volume and handling of breaches, accidents and other incidents. 404 Media obtained and pored through the database, which covers thousands of internally flagged privacy and security issues from 2013 to 2018.

Google verified the trove’s authenticity with Engadget but claimed some of the reports were related to third-party services or didn’t end up being cause for concern. “At Google employees can quickly flag potential product issues for review by the relevant teams,” a company spokesperson wrote to Engadget. “When an employee submits the flag they suggest the priority level to the reviewer. The reports obtained by 404 are from over six years ago and are examples of these flags — every one was reviewed and resolved at that time. In some cases, these employee flags turned out not to be issues at all or were issues that employees found in third party services.”

404 Media writes that, when taken on an individual level, many cases only impacted a few people or were fixed quickly. “Taken as a whole, though, the internal database shows how one of the most powerful and important companies in the world manages, and often mismanages, a staggering amount of personal, sensitive data on people’s lives,” 404 Media’s Joseph Cox wrote.

Examples include a potential security issue where a government client of a Google cloud service had its sensitive data accidentally transitioned to a consumer-level product. Google’s internal report added that, as a consequence, a US-based location for the data was “no longer guaranteed for this customer,” according to the report.

An ultra-compact SUV fitted with a Google Street View camera perched on its roof. It sits on gray pavement in front of a white wall.

In 2016, another case flagged a glitch in Google Street View, where a filter in the service’s transcription software designed to omit captured license plate numbers failed to do its job. “As a result, our database of objects detected from Street View now inadvertently contains a database of geolocated license plate numbers and license plate number fragments,” the report acquired by 404 Media details. (Oops!) That report said the data was purged.

Another incident highlighted a case where a bug in a Google speech service accidentally captured and logged an estimated 1,000 hours of children’s speech data for about an hour. That case report claimed the team deleted all of the data.

Other cases in the database range from “a person” modifying customer accounts on Google’s ad platform to manipulate affiliate tracking codes to YouTube recommending videos based on users’ deleted watch histories. One report even highlights how a Google employee (unintentionally, according to the report) accessed Nintendo’s private YouTube videos and leaked info ahead of the video game company’s announcements.

The full report from 404 Media, which details more of the internal reports, is worth reading for anyone curious about the types of privacy and security incidents a company of Google’s magnitude faces — or causes itself — and how it addresses them.