UniSuper's 647,000 users faced two weeks of downtime because of a Google Cloud bug.
See full article...
See full article...
So Google can delete your information whenever they seem necessary, since this statement lists that a customer is not informed when the admin tool is used. Yet asking Google to delete your personal information when it's for advertising is impossible.Google says there are, but those warnings are for a "customer-initiated deletion" and didn't work when using the admin tool.
Aren't you referencing a completely different type of information stored in a completely different way?So Google can delete your information whenever they seem necessary, since this statement lists that a customer is not informed when the admin tool is used. Yet asking Google to delete your personal information when it's for advertising is impossible.
Will customers now be informed when their data is deleted? I feel like that would be a pretty useful notification for users.
Talk about a 'It's only a flesh wound' statement."Data backups that were stored in Google Cloud Storage in the same region were not impacted by the deletion, and, along with third-party backup software, were instrumental in aiding the rapid restoration." It's hard to square these two statements, especially with the two-week recovery period.
Agreed, they're trying to use systemic to mean widespread, which I guess it's not, but this is absolutely a systemic problem as it's a problem that was baked into the system itselfSystem automatically deletes everything because of initial misconfiguration yet it's "not a systemic problem"? That's just... ugh.
The true statement would be "We had a systemic problem but we've fixed it".
Maybe all statements were heavily edited by PR department, accuracy be damned?
By "user," they mean "customer." This was an internal tool used only by Google employees, for certain custom deploys the customer-facing interface couldn't then handle.It seems there should be safeguards at something higher than the permissions level of an individual user to do certain things. I get that an unfilled entry on a script can cause unstable behaviors. It's just that, why does that script execution environment have the ability to delete an account and all its saved data with no grace period? This seems like a structural problem for Google, and not (only) a coding error.
That would be called obstruction of justice and evidence tampering, providing there is a valid warrant for that dataYou always need a way to totally and permanently nuke something - in case the Feds come calling, etc. Yeah, I know, I'm cynical.
Publicly posting about one of your individual customer's problems sounds like a bad idea by default.The silence during this entire process from Google was deafening. Having a customer posting updates, co-signed by the CEO of Google Cloud but not cross-posted to any official Google domain, made an already bad issue worse.
It didn't. It set a fixed term, and the end of term code did the deletionI get that an unfilled entry on a script can cause unstable behaviors. It's just that, why does that script execution environment have the ability to delete an account and all its saved data with no grace period?
By "user" I meant in the old-school "guy sitting at a desk accessing the company's network."By "user," they mean "customer." This was an internal tool used only by Google employees, for certain custom deploys the customer-facing interface couldn't then handle.
The Google employees have a light higher privileges and access, especially considering they're creating custom deployments that customers can't do themselves.
Also, neither the Google employee nor the script started an account deletion. Instead, a parameter that was left blank meant that the system did it automatically, since it treated that blank parameter as an instruction to automatically delete the account after a year.
But it's a structural issue, yes, with the system they set up for account creation and deletion. They seem to think they patched away this issue though, at least by stopping ways customers or staff could instigate it.
That happened to coincide so it happened automatically. That's not how grace periods work...It didn't. It set a fixed term, and the end of term code did the deletion
I have to imagine there are a lot of Google Cloud customers with mission critical data wondering if they picked the right horse. This whole thing is not about appeasing UniSuper, but the rest of Google's customers.There were joint statements from the Google Cloud CEO and UniSuper CEO on the matter, a lot of apologies, and presumably a lot of worried customers who wondered if their retirement fund had disappeared.
Eh, 28 days for public post mortem seems pretty typical (and obviously better that companies with no public post mortems), especially with two weeks of it working on recovery.The silence during this entire process from Google was deafening. Having a customer posting updates, co-signed by the CEO of Google Cloud but not cross-posted to any official Google domain, made an already bad issue worse.
I don't think anyone is arguing against the existence of an immediate delete option, just that it should require a human in the loop. Soft deletes can be automated because they're, well, soft and can be restored but if you really want to nuke everything that should require manual intervention. The tool shouldn't even be capable of doing a full delete without confirmation.While I feel it shouldn't be the default, I'm not surprised that there is a way to set things up to immediately delete backups on the deletion of an account, as I have dealt with situations where clients have wanted that functionality.
Which would be fine if the client had asked for it, and someone at Google then pressed Y for “Are you sure you want to delete every damn thing?”While I feel it shouldn't be the default, I'm not surprised that there is a way to set things up to immediately delete backups on the deletion of an account, as I have dealt with situations where clients have wanted that functionality.
The counterpoint would be an Apple “ghost photo” scenario.. where what was thought deleted appears again.It's still not clear to me why "automatic deletion" wouldn't involve some form of SOFT or logical delete. To the outside world it is gone, but everything remains in a form that can be reverted (even if that process is laborious).
I don't write anything that doesn't have some form of soft delete that persists for a given amount of time ...
Just common sense / working with customers should teach you that people make mistakes and soft deletes are the way to go. Someone is going to footgun themselves at some point, even me, gotta be safe.
Even if he is, I am pretty certain Google has ability to delete or manage any information stored in any way, within their organization.Aren't you referencing a completely different type of information stored in a completely different way?
Why do you think the grace period didn’t expire as well. Since the deployment was misconfigured as fixed term but the account was actually open ended it seems like any warnings that your term was over would never be triggered.It's just that, why does that script execution environment have the ability to delete an account and all its saved data with no grace period?
While I realize Google Cloud doesn’t have the largest customer base, that really doesn’t scale well.The tool shouldn't even be capable of doing a full delete without confirmation.
Probably because UniSuper didn't notice something was wrong. If Google had a grace period, UniSuper's system would have gone down, they would have called Google, and Google would have been "Oops, my bad, let me flip this flag to turn it back on for you". Since Google couldn't just turn the system back on, but had to have things restored from UniSuper's backups, there clearly wasn't a grace period.Why do you think the grace period didn’t expire as well. Since the deployment was misconfigured as fixed term but the account was actually open ended it seems like any warnings that your term was over would never be triggered.
I assume the customer was writing to their databases all this time. If you're actively updating storage, it's not in a grace period. Unless Google didn't implement that sort of thing properly.Why do you think the grace period didn’t expire as well. Since the deployment was misconfigured as fixed term but the account was actually open ended it seems like any warnings that your term was over would never be triggered.
Also a great way to get an adverse inference in a civil context, which is quite a bit more common but still fits "the feds calling".That would be called obstruction of justice and evidence tampering, providing there is a valid warrant for that data
Even if there's nothing nefarious there's usually situations where you're required by law to hard delete. I work with healthcare records and 99.99% of the time an in-system correction (visible in history) or soft delete (only visible on back end) is good enough. But if you get a court to agree that these entries are both provably false and very damaging you can get them expunged. And that means "nuke it from orbit" gone, being unable to recover the contents is the desired result.You always need a way to totally and permanently nuke something - in case the Feds come calling, etc. Yeah, I know, I'm cynical.