Google is shutting down its ill-fated social network, Google+, after user data was exposed, with up to 500,000 users affected. According to a report in the Wall Street Journal, the company knew about the issue back in March, but chose not to disclose it.

A bug in the Google+ software meant that information that people believed to be private has been accessible by third parties. In a statement on the breach, Google said that it did not feel that the data exposed warranted informing users, but an internal Google memo quoted by the Wall Street Journal cited “immediate regulatory interest” as one reason behind not disclosing the bug.

“Our Privacy and Data Protection Office reviewed this issue, looking at the type  of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” said a spokesperson for Google. “None of these thresholds were met here.”

In many ways, the failure of Google+ may have been its saving grace here, with such a relatively small number of users exposed and no warnings about sensitive data such as email addresses or other personal information having been stolen. The bug which caused the breach affected the Google+ API, and according to Google, it is satisfied that none of the 438 apps which had access to the information misused the data.

Launched in 2011, the platform failed to find an audience or compete with services like Facebook and Twitter. Speculation about whether or not Google would shutter the platform has been rife for years, and the data breach is the final nail in the coffin for Google+. Google has said that it will continue to offer private Google+ powered networks for businesses currently using the software, but the consumer version will be shut down.

“This review crystallised what weve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” said Ben Smith, Google Fellow and vice president of engineering. “The consumer version of Google+ currently has low usage and engagement: 90 per cent of Google+ user sessions are less than five seconds.”

Because the bug and subsequent breach first came into existence in 2015 and was discovered and patched in March 2018, Google will likely not be liable under GDPR guidelines for the exposure of data, or for its failure to disclose the breach. However, the company could still face class action lawsuits, and given the public reaction to the Cambridge Analytica scandal, may even have to face lawmakers in the US, UK and beyond again. The companys share price dropped by 1.23 per cent following the disclosure of the breach.