Google fired dozens of employees between 2018 and 2020 for abusing their access to the company's tools or data, with some workers potentially facing allegations of accessing Google user or employee data, according to an internal Google document obtained by Motherboard.
The document provides concrete figures on an often delicate part of a tech giant's operations: investigations into how the company's own employees leverage their positions to steal, leak, or abuse data they may have access to. Insider abuse is a problem across the tech industry. Motherboard previously uncovered instances at Facebook, Snapchat, and MySpace, with employees in some cases using their access to stalk or otherwise spy on users.
The document says that Google terminated 36 employees in 2020 for security-related issues. Eighty-six percent of all security-related allegations against employees included mishandling of confidential information, such as the transfer of internal-only information to outside parties.
Ten percent of all allegations in 2020 concerned misuse of systems, which can include accessing user or employee data in violation of Google's own policies, helping others to access that data, or modifying or deleting user or employee data, according to the document. In 2019, that figure was 13 percent of all security allegations.
Do you know about any company employees leveraging their access to user data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
Google terminated 26 people in 2019 and 18 in 2018 related to security incidents, the person who provided the document told Motherboard. Motherboard granted the person anonymity to speak more candidly about Google issues. The document says that other measures Google can take with employees that mishandled data can include warnings, training, and coaching.
A Google spokesperson told Motherboard in a statement: "The instances referred to mostly relate to inappropriate access to, or misuse of, proprietary and sensitive corporate information or IP."
"Regarding user data, we tightly restrict employee access through a number of industry leading safeguards, including: limiting access to user data to necessary individuals, requiring a justification to access such data, multi-stage review before access is granted to sensitive data, and monitoring for access anomalies and violations," the statement added. "The number of violations, whether deliberate or inadvertent, is consistently low. Every employee gets training annually, we investigate all allegations, and violations result in corrective action up to and including termination. We are transparent in publicizing the number and outcome of our investigations to our employees and have strict processes in place to secure customer and user data from any internal or external threats."
In 2010, Google fired engineer David Barksdale for leveraging his position as a member of a technical group to access the accounts of four minors, Gawker reported at the time. Barksdale accessed a 15-year-old boy's Google Voice call logs, as well as contact lists and chat transcripts and unblocked himself from a teen who had cut communications with him, the report added.
Subscribe to our cybersecurity podcast, CYBER.