Senate Republicans are joining their counterparts across the aisle in criticizing Google over its failure to promptly disclose a data leak at the social networking service Google+.

“Google must be more forthcoming with the public and lawmakers if the company is to maintain or regain the trust of the users of its services,” GOP Senators John Thune (South Dakota), Roger Wicker (Mississippi), and Jerry Moran (Kansas) say in a letter sent Thursday to CEO Sundar Pichai.

Their letter comes one day after Richard Blumenthal (D-Connecticut) denounced Google for its “violation of basic norms” in waiting seven months to notify people that Google+ exposed data to outside parties.

Earlier this week, The Wall Street Journal reported that a flaw in Google’s system allowed up to 438 outside developers to access information about Google+ users’ contacts. The vulnerability existed for around three years, and may have exposed up to 500,000 people’s data.

Google reportedly discovered the glitch and fixed it in March, but delayed disclosing it until this week, due to fears of regulatory scrutiny and bad publicity. On Monday, Google said it plans to shut down the consumer version of Google+.

“Data privacy is an issue of great concern for many Americans who use online services,” Thune and the other Republicans write. “Particularly in the wake of the Cambridge Analytica controversy, consumers’ trust in the companies that operate those services to keep their private data secure has been shaken.”

The lawmakers pose a host of questions to Google, including why it waited to inform people about the data leak, and whether there have been similar incidents the company failed to disclose.

On Wednesday, Blumenthal and two other Senate Democrats — Ed Markey (Massachusetts) and Tom Udall (New Mexico) — urged the Federal Trade Commission to launch a broad investigation of Google, including whether it violated the terms of a 2011 consent decree. That order requires Google to create a comprehensive privacy program, undergo independent privacy audits, and obtain consumers’ express consent before sharing their information more broadly than its privacy policy allowed at the time of collection. 

The consent decree stemmed from a separate privacy problem regarding another defunct social networking initiative — Google Buzz. At launch, the service exposed information about users’ email contacts.

“The failure to adequately disclose the Google+ vulnerability calls into question Google’s compliance with the consent decree’s requirements to respect privacy settings and protect private information,” the Democrats write to the FTC.

They add that Ernst & Young conducted at least one required audit during the time the Google+ data was exposed, but failed to find the problem. “Clearly, the FTC cannot continue to allow Google to select its own referee and to self-regulate,” Blumenthal and the others write.

The Democrats add that even apart from the recent news about Google+, the company’s data practices call out for investigation.

“Most consumers do not understand the level, granularity, and reach of Google’s data collection,” the letter says. “Researchers, civil society, and members of Congress have raised an expansive set of privacy concerns to the FTC, including its location monitoring; acquisition of sales data; tracking of non-Google users across the web; and scanning of emails. These allegations raise new issues relevant to the consent decree that should be in the scope of the FTC’s review.”