The Silicon Valley giant said Monday it shut down its Google+ social network for consumers after it found and fixed a bug exposing private data in as many as 500,000 accounts, but drew fire for initially failing to disclose the incident.
The revelation heightened concerns in Washington over privacy practices by Silicon Valley giants after a series of missteps by Facebook that may have leaked data on millions.
"In the last year, we've seen Google try to evade scrutiny - both for its business practices and its treatment of user data," Senator Mark Warner said in a statement.
Warner said that despite "consent" agreements with the US Federal Trade Commission with Google and Facebook, "neither company appears to have been particularly chastened in their privacy practices."
"It's clear that Congress needs to step in" for privacy protections, he added.
Marc Rotenberg, president of the Electronic Privacy Information Center, said the latest breach suggests the FTC has failed to do its job in protecting user data.
"The Congress needs to establish a data protection agency in the United States," Rotenberg said. "Data breaches are increasing but the FTC lacks the political will to enforce its own legal judgments."
Senator Richard Blumenthal said the news shows that "to truly end this cycle of broken promises, we need a national privacy framework that protects consumers."
Security researcher Graham Cluley said in a blog that "the big story is that Google knew months ago that user data had been exposed and chose to keep the fact quiet."
"Did no one tell them that cover-ups are always worse than coming clean?" he added.
Princeton University researcher Arvind Narayanan noted in a tweet that Google revealed a "vulnerability" rather than a data breach but he noted that "Google has no way to know if the vulnerability was exploited in the past - precisely because of (its) privacy by design."
Bloomberg News reported meanwhile that Germany's data protection commissioner had begun a probe potential privacy protection violations.
The nternet search leader had already faced tensions with lawmakers after it decided against sending its top executive to testify at a hearing on privacy and data protection, prompting the committee to leave an empty seat for the company.
Last month, Google indicated it would send chief executive Sundar Pichai to testify before Congress.
Google has also been in the crosshairs of President Donald Trump, who alleged that its search results were biased against conservatives, although there was little evidence to support the claim.
The rising tensions come with Google holding an event in New York that released its Pixel 3, the upgraded premium smartphone that aims to compete with high-end devices from Apple and Samsung.
Google also launched a new version of its connected speaker, with a touchscreen display designed to be a hub for smart home devices, but left out a camera for privacy reasons.
On Monday, Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.
Google did not specify how long the software flaw existed, or why it waited to disclose it.
The Wall Street Journal reported that Google executives opted against notifying users earlier because of concerns it would catch the attention of regulators and draw comparisons to a data privacy scandal at Facebook.
Earlier this year, Facebook acknowledged that tens of millions of users had personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.
Google has also faced increasing tensions over a reported search engine which would be acceptable to Chinese censors, and over its work for the US military.
On Tuesday, Google confirmed it is dropping out of the bidding for a huge Pentagon cloud computing contract that could be worth up to $10 billion, saying the deal would be inconsistent with its principles.