Earlier today Gawker published an alarming report detailing the exploits of a former Google engineer who allegedly used his internal clearances to access private Gmail and GTalk accounts so that he could spy on and harass people, including four minors. The article repeatedly points out how much sensitive data the public has entrusted Google with, and highlights that the company's internal security policies may not be enough to maintain that security should a trusted employee go rogue. Google has just responded to the article with this statement, and it doesn't deny anything Gawker reported:
“We dismissed David Barksdale for breaking Google’s strict internal privacy policies. We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls--for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly--which is why we take any breach so seriously.”
Bill Coughran, Senior Vice President, Engineering, Google
While the Gawker article correctly said that Barksdale had been fired for this reason, Google had not previously confirmed it and Barksdale had refused to comment on why he had been dismissed.
In light of the news, we've asked Google for more information as to how many times such breaches have occurred in the past, and how many people have access to these private accounts. Update: A Google spokesperson says that a similar security breach has happened once before and that the employee was also dismissed. The previous incident didn't have any minors involved.
According to the Gawker article, Barksdale was a Site Reliability Engineer, who had deep access to private accounts spanning multiple Google services.
Here's one particularly damning passage from the Gawker article:
It's unclear how widespread Barksdale's abuses were, but in at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her.
It's worth noting that one of Gawker's sources says that the harassment was not sexual in nature, though it was "a lot of violating people's personal privacy".