Monday's post discussed the reasons for consumers to know what privacy they give up when using Google services. Part of that assessment is knowing what personal data Google has about you, especially if your data is hacked, stolen, or exposed during a data breach.
Last week, C/Net News reported:
"... Google's JotSpot service, which allows people to collaborate on online documents, exposes user names and e-mail addresses to anyone on the Internet, but Google says the problem is due to administrator users not making the settings private. As a result, sensitive user data is indexed by Google's crawler and made accessible on the Web, said Ben Edelman, a Harvard Business School professor and security researcher.”
What data was breached?
"CNET News was able to view full user names, e-mail addresses, and group memberships of JotSpot users. This was done by searching Google for "user management" pages on JotSpot that list registered users for different JotSpot projects or groups. Such a search conducted late on Thursday brought up about 2,800 results."
This news story highlights the need for companies to consistently and effectively train their employees on effective data security habits and the company's data security policies. Otherwise, data breaches are bound to happen.
This data breach is no different than the multitude of breaches where company employees all too often lax about data security and leave laptops unprotected; and store massive amounts of sensitive data about customers, employees, and former employees. It's no different than an employee copying files with sensitive data to an unprotected folder or sub-folder on a public Internet server.
Perhaps more importantly:
"The problem also exposes a chink in Google's hosted services business, which relies on customers--individuals and companies--having faith in Google's ability to secure customer data..."
I agree 1,000% with Edelman. If a vendor is going to encourage users to collaborate on documents via the Internet, then that vendor should make the privacy settings and features in their application as "bullet-proof" as possible.
That may mean making the default document access settings private. It may mean extra on-screen messages and warnings when users deviate from standard document access privacy settings. It may mean adding to the application a default set of settings that match the company's internal policy so that changed settings can be easily discovered and messaged.