Google Play vulnerability allegedly lost woman “thousands” of dollars

We’ve all heard nightmare stories about unexpected charges relating to our mobile devices, the majority of which can be traced back to children purchasing apps or making in-app purchases and often a lack of security on the part of a parent’s account. But what if you got online one day, checked your account and found that you’d be charged “thousands” and were adamant you had done nothing wrong? That’s the situation one Californian resident claims to be in.

Susan Harvey recently filed a lawsuit against Google claiming that between the period of April 2013 and May 2014 approximately 650 transactions had occurred that she was totally unaware of, alleging that her account was ‘hacked’. The total of the transactions reportedly came to thousands of dollars, though no exact amount has been publicly listed as far as we can tell.

First question you might have is “how the hell can you not notice thousands of dollars going missing from your account” — we’re right there with you. To be fair, this happened slowly over the course of an entire year and so it’s possible the hit wouldn’t be that noticeable to those that don’t keep a watchful eye over their bank accounts. Still, it’s always a good idea to review your bank account transactions at least on a weekly basis, if possible (friendly tip of the day).

As for how Harvey first discovered the error? Apparently in March of 2013 Harvey bought her first Android phone, signed in with her Google email address, linked to her bank debit card, and downloaded her first app, a trial app that a little later she ended up updating to the full version. From there, she began enjoying her phone and never noticed any issue. It wasn’t until August of 2014 that she bought a second phone and was looking to transfer a paid app to her new phone that she stumbled upon the issue. She logged into her Google account and was “shocked to find approximately six hundred and fifty (650) listed transactions, the majority of which were unrecognizable to Plaintiff, and certainly not transactions conducted by Plaintiff.”

At the advice of both her bank and Google, she filed a police report but neither of these entities agreed to refund her the money. Harvey went on to contact the individual developers that were listed in her transaction history:

Almost every vendor that cooperated with Plaintiff advised her the same thing: they could not identify the transaction numbers as part of their billing and the transactions cited by Plaintiff are Google transactions under which Google is receiving monies.

The plantiff then went back to Google, which eventually acknowledged she didn’t authorize the transactions and the company then allegedly promised to refund her, but never did.

Bottom-line, the plantiff is suing for two reasons. First, Harvey believes that a security vulnerability in the Playstore allowed hackers to obtain her information and make fraudulent charge. As for the second reason, Harvey says that Google failed to notify the plantiff of the alleged security breach in a timely manner, and failed to promptly refund her for her fiscal lose.

If we had to take a guess, the root cause of Harvey’s issue probably boils down to one of two things: a weak password or a malicious app. If it’s the former, Google really can’t help that. If it’s the latter, and the app she initially bought caused the breach due to malicious code, then she probably has a pretty strong case. What do you think, do you buy the story here? In your opinion, is Google likely at fault or is bad security practices on the plantiff’s part just as likely the culprit?

Lesson learned? Pay attention to your finances!