Yahoo has confirmed that it is the victim of a cyber security breach affecting at least 500m accounts, perhaps the largest in history. Data breaches of email and social media accounts, retail stores, health insurance companies and even governments are now routine. The lesson to be learnt from the Yahoo breach may be that, when it comes to cyber security, we are not learning the right lessons.
Following major breaches, companies often deflect responsibility by pointing the finger at “state-sponsored actors”, as Yahoo did. Certainly, states do engage in this kind of activity and in some cases leave enough of a trail to be blamed.
But there is also reason to be sceptical of Yahoo’s claim. Presenting breaches as nation-state attacks suggests that there was nothing the company could have done to defend its users. It is better PR to blame a foreign intelligence service than for a company to admit it lacked basic security features. It also puts companies on a stronger legal footing against users who may seek to sue them.