A glitch in Google's business software exposed some users' personal information, including their e-mail addresses, mailing addresses and phone numbers, for nearly two years, even though users opted to keep their data private.
The program, Google Apps for Work, had a bug starting in mid-2013 that could have affected up to 94 percent of its 306,000 Google Apps for Work site owners that chose to keep their data anonymous and selected the unlisted registration option. While users' domain registration information was not included in the WHOIS directory for the first year, a software defect in the Google Apps domain renewal system listed the site registration information publicly in the WHOIS directory upon renewal.
Since a number of services keep WHOIS information archived, some of this information might be available on the Internet permanently.
Talos, a maker of computer networking gear that's associated with Cisco Systems, discovered the bug and immediately notified the Google security team once they became aware of the problem. Within days, the privacy settings were restored to the affected domains.
Users hide their domain information for a number of reasons, from seeking privacy to protecting against phishing, identity theft or other scams. To provide this option to users, Google Apps for Work uses a third-party privacy provider called eNom that allows users to anonymize their personal data for about $6 per year.
eNom's advertisement for their privacy protection services reads: "In America, alone, there are an estimated 9 million cases of identity theft each year and 3 trillion spam emails sent each year. Spammers and thieves can get your information through your domain name's public record. ID Protect keeps your information safe by privatizing your domain's entry in public records."
Unfortunately, a bug prevented users from benefitting from this extra protection once their registration was renewed.
"The obvious risk here is that some of these individuals who have been unmasked may now be in some form of danger as a result of their connection with the domain registration," says a Talos blog post. "Additionally, threat actors may use domain registration information for malicious purposes. For example, sending targeted spear phishing emails containing the victim's name, address and phone number to make the phish seem even more authentic."
Google says the affected domains are now back to being private and the issue will not affect any customer renewals in the months ahead, according to CNET. Google also emphasized that the data leak was limited only to domain-registration information, and that any data stored in Google Apps was not affected.