One day last August, Susan Harvey tried to download a previously purchased app onto a second mobile phone, only to have Google’s dashboard tell her that – yikes! – there were 109 transactions on her account.
Clicking on another tab on Google’s site led her to find that, even worse, there were about 650 transactions listed, most of which she says she didn’t recognise.
Her bank records told the tale: between April 2013 and May 2014, her account had been drained of thousands of dollars.
According to The Register, the California woman last week filed a lawsuit against Google in the Eastern California District Court, alleging that the search company’s inadequate security enabled crooks to run up thousands of dollars in charges on her Google Play account that were then debited electronically without her sign-off.
Harvey also accuses Google of first refusing to reimburse her, then backing down and agreeing to refund the money, but ultimately failing to pay up as promised.
At first, Google claimed that the transactions in question did, in fact, belong to Harvey.
Both her bank – Bank of America – and Google requested police reports, which Harvey’s lawsuit says she submitted. Still, neither the bank nor Google reimbursed her.
Harvey took matters into her own hands, getting in touch with the vendors listed in the transactions.
Nearly all of them told her that they didn’t recognise the transaction numbers as being part of their own billing. The vendors said that the transactions were, in fact, Google transactions, and that Google itself was receiving the money.
When she relayed her findings to Google, the company acknowledged that Harvey hadn’t made the transactions, but it still refused to reimburse her.
After more complaining, Harvey says Google’s legal department contacted her and told her the refund was in the works.
But as of the time of the filing, not only hadn’t she seen her money, but some of the transactions identified as fraudulent had disappeared from her account.
From the filing:
After plaintiff repeatedly complained and advised Google of her findings, Google's legal department contacted plaintiff and advised her that all transactions would be reimbursed.
To date, all transactions unauthorized by plaintiff have not been reimbursed and notably, some transactions previously identified as fraudulent have been erased from plaintiff's account.
Harvey is claiming that there must have been a flaw in Google Play that allowed thieves to post bogus transactions to her account, that Google acted negligently by allowing her personal information to be breached and her identity to be stolen, and that Google broke breach notification law by not telling her about the problem.
She’s also claiming that Google allowed electronic fund transfers – some recurring – to go through without her authorization.
She’s requesting a jury trial and monetary damages.
Google declined to comment when contacted by The Register.
Regardless of the lawsuit’s outcome, it’s a good reminder of why we should all be keeping a close eye on our bank account statements.
Spotting the first unrecognizable transaction can help stop hemorrhaging of funds to swindlers before you lose thousands, whether the criminals are coming in from Google Play or anywhere else.Follow @NakedSecurity