Exterior view of a Google's headquarters showing data misuse

Leaked Documents Indicate Google Fired Dozens for Data Misuse: Unauthorized Access of User Data, Modification & Deletion of Employee Data Among Complaints

Documents leaked to Vice’s Motherboard indicate that, between 2018 and 2020, Google fired at least 80 employees for data misuse. While most of these incidents appear to involve accessing and transferring sensitive corporate secrets or intellectual property, at least a few involve employees manipulating or deleting the data of other employees.

Only 0.04% of total workforce fired annually; but stored corporate information may not be safe

The number of employees fired make up a very small percentage of Google’s estimated 100,000 person workforce, but enough incidents were recorded to raise questions about how secure proprietary and sensitive corporate information is from insider abuse at the company.

The internal Google documents provide statistics collected by the company about allegations of employee misconduct and records of cases that led to firings, dated from 2018 to 2020. The records of firings show 36 employees being terminated for some sort of “security-related issue” in 2020, up from 26 in 2019 and 18 in 2018. These records apparently do not always make clear exactly what each employee was terminated for, but aggregate statistics are collected on security-related allegations.

Of the incidents documented in 2020, 86% were related to mishandling of confidential information. For the most part, this category is concerned with transfer of internal Google company information to outside parties in an unauthorized way.

10% of allegations involve “misuse of systems.” This is the category Google uses for incidents that involve unauthorized access to user data, providing others with such unauthorized access, or modifying or deleting the data of other employees. This number was down from 13% of allegations in 2019.

The anonymous Google insider that leaked the documents to Motherboard told reporters that termination numbers are not necessarily the full picture of the security risk, as employees can be given warnings or training in response to data misuse allegations. A spokesperson for Google that spoke to Motherboard appeared to corroborate the numbers, telling reporters that the firings mostly involved “inappropriate access to, or misuse of, proprietary and sensitive corporate information or IP.”

The Google spokesperson touted the company’s safety features meant to curb data misuse, including data minimization procedures in employee access and review processes required before access is given to especially sensitive data. The company also said that it actively monitors for “anomalies and violations.”

Insider data misuse is not a new issue for Silicon Valley’s giant tech firms, which handle and process the data of hundreds of millions of Americans. Google itself made news for this issue a decade ago when engineer David Barksdale was found abusing his position to access the accounts of at least four minors, spying on Google Voice call logs and chat transcripts. Though this was the first publicized incident of this nature for the search giant, it was not the first for the company; reporters investigating Barksdale’s case learned from Google that one other engineer had previously been removed for some sort of similar unauthorized access to user accounts.

Data misuse in tech companies

These incidents of data misuse are not often volunteered to the public by tech companies, and in some cases are discovered only through leaks or by whistleblowers coming forward.

Motherboard may have been selected by the present Google insider as it has broken similar stories involving Facebook, Snapchat and even Myspace in the past. In the case of Snapchat, an internal tool called “SnapLion” that was meant for response to law enforcement requests was abused by multiple employees in 2019 to pry into user accounts. In 2018, Facebook terminated multiple employees after allegations that they were using internal platform tools to stalk women, with insiders saying that incidents such as these were “typically not publicly reported.” And a 2019 investigation revealed that during Myspace’s run of popularity in the early-mid 00s, an internal backdoor tool that granted access to everything in user accounts (including plaintext passwords) was abused by multiple employees including some using it to stalk and harass former romantic partners.

And the incidents first reported on by Motherboard are far from the only data misuse issues that have cropped up in the world of big tech and online services. In 2016, a former employee of Uber filed a lawsuit claiming that employees would routinely violate the privacy of celebrities, politicians and former romantic partners using a “God View” feature that could display the location of the tracked user in real time. And in 2020, Amazon’s Ring division fired four employees for prying into the video footage of its users’ doorbell systems and security cameras.

Only 0.04% of Google's estimated 100,000 person workforce fired for data misuse, but incidents still raise questions about how secure proprietary and sensitive corporate information is from insider abuse. #cybersecurity #respectdataClick to Tweet

Erich Kron, security awareness advocate at KnowBe4, sees these data misuse issues as being endemic and very likely to continue but also something that can be safeguarded against by responsible companies: “Unfortunately, the misuse of data by insiders is not a new problem; however, the fact that it is impacting an organization such as Google demonstrates that there is no easy solution for the issue. While sensitive data is valuable to cyber criminals, stalkers and other bad actors, the simple allure of access to private information is also a powerful motivator. This is true anywhere there is non-public information about someone, whether that be a Hollywood celebrity or an old high school crush, curiosity is a strong emotion … Any organization that stores sensitive data, whether that is a police department and their non-public information on people or investigations or a search engine giant that stores data about almost every web search you do, needs to have robust data protection controls in place. It is critical to log any access to the data being collected, and this access must be reviewed on a regular basis. Data Loss Prevention (DLP) controls are also critical to make moving data out of the network more difficult and to quickly alert where there are anomalies in data access. Finally, a strong organizational security culture and robust training to help other employees spot people behaving in unusual ways or noticing odd data access themselves, can be a huge help when dealing with internal threats.”