Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Businesses

Leaked Document Says Google Fired Dozens of Employees for Data Misuse (vice.com) 34

Google has fired dozens of employees between 2018 and 2020 for abusing their access to the company's tools or data, with some workers potentially facing allegations of accessing Google user or employee data, according to an internal Google document obtained by Motherboard. From a report: The document provides concrete figures on an often delicate part of a tech giant's operations: investigations into how company's own employees leverage their position inside the company to steal, leak, or abuse data they may have access to. Insider abuse is a problem across the tech industry. Motherboard previously uncovered instances at Facebook, Snapchat, and MySpace, with employees in some cases using their access to stalk or otherwise spy on users.

The document says that Google terminated 36 employees in 2020 for security related issues. Eighty-six percent of all security-related allegations against employees included mishandling of confidential information, such as the transfer of internal-only information to outside parties. 10 percent of all allegations in 2020 concerned misuse of systems, which can include accessing user or employee data in violation of Google's own policies, helping others to access that data, or modifying or deleting user or employee data, according to the document. In 2019, that figure was 13 percent of all security allegations.

This discussion has been archived. No new comments can be posted.

Leaked Document Says Google Fired Dozens of Employees for Data Misuse

Comments Filter:
  • by Anonymous Coward

    >Leaked Document [...] fired dozens of employees
    >[...] such as the transfer of internal-only information to outside parties [...]

    Many Bothans died to bring us this information.

  • by Pascoea ( 968200 ) on Wednesday August 04, 2021 @09:55AM (#61655385)
    That was one of the first lessons I got from my first job in IT: Just because you have access to it doesn't mean you're allowed to look at it. It's part of the responsibility of being an admin. These 36 people learned the hard way why you need to keep your nose out of where it shouldn't be.
    • by v1 ( 525388 )

      We have a saying here, "just because you can, doesn't mean you should"

      Someone here crossed that line, and lost their job as a result. This triggered a review of the can's, and a lot of unnecessary rights were revoked.

      This is a bigger problem in places where position implies a high degree of trust, and it's just easier to give them they keys to the kingdom than to review everything they need access to and grant it piecemeal.

      I prefer the "Start them with minimal access, and every time they need access to som

      • by tlhIngan ( 30335 )

        Heck, the properly responsible ones also ditch the power when not needed.

        I'm given access to file shares as necessary, though I often need to refer to them so I end up keeping the permissions (everyone has read access, because project stuff can be useful elsewhere).

        But sometimes I have access temporarily because I needed it, and I usually give it up afterwards.

        E.g., I was asked if I wanted domain admin access - I asked why and was told sometimes people lock themselves out. I pointed out that usually, the re

        • by v1 ( 525388 )

          so for the 5 minutes I needed to re-add their computer to the domain, I needed domain admin

          We have a special user here whose only domain authority is to add computers to the domain, and that's what we use for that. Those credentials also have to be stored inside scripts that do our computer imaging, scripts which several people have access to that are NOT domain admins. This is commonly known as a "service account", and I suggest you ask the DM to create such an account for this purpose, so you don't have

    • This is supper common in the industry. Usually some "kid" just out of college, with their first experience of having "Power". Having grown up in a situation where they didn't have much power, they often get a drunk with power when they are given some.

      You give someone who has been doing jobs and work of just do what I tell you to do, and we will open the door and lock up when we are done, experience and access to a huge set of data. Searching the browsing habits of your Ex, Crush or SO digging up dirt on t

      • by ArmoredDragon ( 3450605 ) on Wednesday August 04, 2021 @10:35AM (#61655525)

        There should be HIPAA style laws for this. I work for a major health care organization (owns several hospitals) and part of my job responsibility involves determining who should and should not have access to PHI. Yet even I do not have authorization to view that data, not even for testing purposes to ensure that our access controls are working (we have mock records for that.) If I so much as open a patient record, an auditor will notice, then I'll have some splainin to do, and the company would have to report a HIPAA event, and depending on the severity there could be criminal prosecution for me AND the company.

        Put similar laws in place for PII as there is for PHI, and watch how fast this would stop. Though I'm sure Mark Zuckerberg would have an aneurysm if such laws ever existed.

        • Still with healthcare, there are breaches that happen. While you may not have access to PHI, others do. Say people who are doing Financial Reporting, and general Revenue Cycle work. The best practices are to reduce the number of people who need all the data, however it is impossible to often get it to 0. Even a small team with the access to protected data, can still have a rogue employee who may overreach.

      • However only 36 users out of the thousands of Google workers, is really good

        There is no reason to believe it is "really good" instead of "really bad." They have so many workers, and it is such a common temptation, I'd expect the rate of noncompliance to be much higher than that. This suggests a lack of oversight.

        What I'd want to see to believe it is "really good" would be a much higher number than that one year, followed by much less in later years. Then I'd believe that they had successfully dealt with the problem.

        This reads more like, they stuck their nose in and fired the people

  • by peterww ( 6558522 ) on Wednesday August 04, 2021 @09:55AM (#61655387)

    Well they do have 40,000 engineers. With enough people in power you're gonna have some people abusing it.

    • So long as you aren't doing anything illegal or evil, then you have nothing to fear from a bunch of (possibly malicious) strangers snooping around in your data. There is no way any harm will come of this.

      Keep giving Google your data. It will be fine. DuckDuckGo is for paranoid weirdos.

  • I have to suspect Google upper management's major concern is that the employees they caught doing creepy, stalky stuff were encroaching on territory they reserve for themselves.

  • funny (Score:4, Interesting)

    by fulldecent ( 598482 ) on Wednesday August 04, 2021 @10:22AM (#61655479) Homepage

    It's funny how they publish how many government requests and NSL requests they get. But they don't publish employee misuse of data--and still we don't know how many subject accounts are affected by these.

    Government requests at least have an overt purpose for public safety and may even possibly be helpful for public safety.

    Employee mishandling of subject data is always for fraud and bad purposes (otherwise it would be called "handling" not "mishandling").

    It's almost as though Google publishes the one and not the other because it makes them look good rather than actually providing transparency to their subjects.

    • by WallyL ( 4154209 )
      How do we know that this behavior for which these 36 folks were terminated, is not extremely common, and these 36 just didn't kowtow the right way or upset the wrong person? This is just a wild theory, but what if it's like speeding: A rule that is selectively enforced. These guys just looked cross-eyed at the policeman or something?
    • Why should they? One involves company internal issues, while the other is a societal, "freedom of speech" issue.

      Ya need to get your issues straight.

      Just because actions are similar in two situations, you have to look at motivations. Those are usually more important than "dry" actions.

  • Google reports that they fired 36 people for data misuse. That means they know about at least 36 persons who misused their access privilege. How many times did each of those users access data? What data did they access? How many people abused privileges that weren't fired? And (unanswerable but more disturbing), how many Google employees misused their access privileges that they (Google) don't know about, or choose not to document?
    • They didn't even report the 36; the document was leaked.
      Still, there's degrees of abuse. They'd probably sack people for digging up info on their ex, or for selling info on celebrities to outsiders (apparently, 86% of these cases involved a transfer to a 3rd party). But a junior staff member poking his nose where it doesn't belong out of curiosity? You'd let them off with a warning.
      • Naturally that also precludes any similar behavior done at the direction of management. I'm quite sure there are some of these people who would not have been fired for their actions if they had the company's blessing.

        But the notion that we need to know all of this or have some right to it is a bit silly. Do you or I have a right to know how many employees were terminated from a restaurant for not washing their hands after using the restroom? At what point can that information be used to violate the priva
        • by arQon ( 447508 )

          Do you or I have a right to know how many employees were terminated from a restaurant for not washing their hands after using the restroom

          Yes, we do! Are you even being serious, or was that supposed to be a joke?

          We may not *personally* need to know it, but after the 15th time in a month that someone gets a norovirus from that restaurant, action needs to be taken. This is no different.

          > At what point can that information be used to violate the privacy of the former employees

          Pretty much "never" - but I guess the deliberately fallacious argument there answers my question of whether or not you were joking.

          > and what good does that serve to

      • They didn't even report the 36; the document was leaked.

        So it is going to be 37 soon then?

  • I also have a non-compete clause in my contract.

  • Idiots are poor at counting so nice clickbait....

    • Given 40k employees, the fact that it is only dozens is newsworthy. That implies Google's internal security monitoring is either incredibly effective or abysmally ineffective. Given how few celebrities have had all of their dirt dumped on the Internet by a Google employee, I'd tend toward "effective" hypothesis. And that is newsworthy.

  • It's a real problem for compliance. To be fair to Google, I don't think any of the Cloud providers are actually living up to their disclosure requirements. I know that if you are a customer and read the AWS SOC2 report, for example, you'll see them state they will report data breaches and talk about their internal security monitoring and procedures to detect and handle internal abuses of privilege, mishandling, etc.. These examples of internal mishandling sure seem to constitute data breaches but I don't
  • Comment removed based on user account deletion
    • Spy agencies can plant engineers into corporations and get them to retrieve information

      That has nothing to do with this story. Whatever spies there are, they're unlikely to have conducted their access in such a way that they were among the only 36 people to get fired for improper data access.

      These were almost certainly people who shared clients nude pictures with coworkers and were reported.

  • by Ultimer ( 8105522 )
    Well, dating sites are a good way to find new people, not only for us but also for those who support their work. I wonder if the tech support of such services has access to the profiles of the coolest girls? I manage to find girls to meet on www.datingreviews.com.au [datingreviews.com.au], and I don't know if you think this is a positive experience or not, but I'm sure you can find a stable relationship there too.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...