(Adds prior letters, Google declines comment, more details)
By David Shepardson
WASHINGTON, Oct 24 (Reuters) - Two U.S. senators said Alphabet Inc's disclosure of user data vulnerabilities at Google+ raised "serious questions" over whether it violated a 2011 consent decree with the Federal Trade Commission, potentially exposing Google to penalties.
Alphabet said this month it would shut down the consumer version of its failed social network Google+ and tighten its data-sharing policies after announcing the private profile data of at least 500,000 users may have been exposed to hundreds of external developers.
The issue, the latest in a run of privacy issues to hit big U.S. tech companies, was discovered and patched in March. The Wall Street Journal reported that Google opted not to disclose the security issue due to fears of regulatory scrutiny, citing unnamed sources and a memo prepared by Google's legal and policy staff for senior executives.
Senators Amy Klobuchar and Catherine Cortez Masto wrote to Google Chief Executive Sundar Pichai on Wednesday asking why the company had failed to disclose the issue for six months.
The incident raises "serious questions" about whether the company violated a 2011 consent decree with the FTC, they wrote, adding that Google failed to "protect consumers' data and kept consumers in the dark about serious security risks." The company agreed to 20 years of audits to ensure consumer privacy as part of the consent decree with the FTC over botched rollouts of the social network Buzz, which is now defunct. In 2012, Google paid $22.5 million to settle charges it bypassed the privacy settings of customers using Apple Inc’s Safari browser and violated the 2011 decree.
Google declined to comment.
On Oct. 11, three Republican senators also asked the Google unit to explain why it delayed disclosing vulnerabilities with its Google+ social network.
"Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services," the Republican letter said.
The Republican letter asked whether the Google+ vulnerability had been revealed previously to any federal agencies, including the FTC, and if there were "similar incidents which have not been publicly disclosed?"
Pichai agreed last month to testify on privacy and other issues before a House of Representatives panel in November after meeting with lawmakers.
Three other Democratic senators also wrote to the FTC this month asking them to investigate Google+ and calling for a "renewed investigation into (Google's) privacy practices across its range of products and activities." (Reporting by David Shepardson Editing by Chizu Nomiyama and Susan Thomas)