Steven Everett and Connor Murphy report:
Until December 2017, Google Groups containing hundreds of University communications and associated documents with restricted, confidential, or otherwise sensitive information had misconfigured permission settings such that anyone who could access the Boston College G Suite—known formally as Google Apps—could view them, a Heights investigation found.
The Heights notified the University on Dec. 18 of this vulnerability. BC Information Technology Services (ITS) immediately secured the vulnerability that day, but it was not until the week of March 19 that Google instituted a platform-wide modification. The Heights withheld publication of this article until a wider fix was implemented, as publishing this story before that change could have made other institutions that use G Suite more vulnerable in the event that they also had misconfigured privacy settings.
Read more on BC Heights.
And this, folks, is yet another reminder why the baked-in default by designs should be “private” and not “public.”