雅虎數據失竊事件的教訓

Data theft may be an increasingly common occurrence on the internet.

互聯網上的數據竊取事件越來越常見。

But even in these desensitised times, few breaches can match the one revealed by Yahoo on Thursday, when it announced the theft of personal information belonging to 500m users dating from 2014.

但即便是在人們對此類事件日益麻木的時代，也幾乎沒有哪起事件能比得上雅虎(Yahoo!)上週四披露的個人數據失竊事件。該公司上週四宣佈，5億用戶自2014年以來的個人數據被竊。

The sheer scale of the infraction begs a host of questions about the company’s management and whether it took enough care of its customers’ personal data.

這麼大規模的數據失竊引發一系列疑問，人們質疑該公司管理是否完善、其對客戶個人數據的保管是否足夠小心。

It also raises questions about public disclosure and issues over the future, or at least the price, of Yahoo’s $4.8bn sale to Verizon.

它還引發人們對另外兩件事的疑問，一個是公開披露，另一個是雅虎以48億美元將核心業務出售給Verizon的那筆交易的相關事宜——這筆交易未來命運如何、或者至少是還能否維持現在的價格。

In recent years, there has been a rising number of cyber breaches affecting companies and millions of users.

近年來，影響企業和數百萬用戶的網絡入侵事件數量日益增多。

What is both striking and unnerving about the Yahoo case is that it went apparently undetected for two years.

雅虎事件令人感到震驚和不安的是，它似乎在兩年的時間裏都未被察覺。

The company’s claim that no high-value information such as credit card data were extracted is a cold comfort, and one that does nothing to excuse Yahoo for its failure to notice the cyber incursion.

該公司宣稱，沒有信用卡數據等高價值信息泄露。

Nor is it enough for the company to claim that the fact its attackers were state sponsored absolves them from spotting the tracks.

這不能提供多少慰藉，並且這種說法免除不了雅虎未能察覺網絡入侵的責任。該公司宣稱黑客得到政府的資助，這也不足以免除它未能發現入侵行爲的責任。

The idea that the hackers were somehow invisible is anyway belied by Yahoo’s own account of how the breach was uncovered.

有人認爲，黑客因這樣或那樣的原因是無法被察覺的。雅虎自己對這一入侵是如何被發現的所作的描述讓這一說法不攻自破。

It instigated deeper security checks after a quantity of data popped up for sale for $1,800 on the so-called dark web and was reported by the technology publication, Vice Motherboard.

在所謂暗網上突然冒出大量以1800美元的價格出售的數據並被科技雜誌《Vice Motherboard》報道之後，雅虎展開了更深層次的安全檢查。

These procedures appear to have revealed the looting that the company now admits took place.

雅虎現在承認發生了的數據盜竊活動，似乎就是這些檢查揭露出來的。

This sequence of events raises serious questions about Yahoo’s management and whether it took the security of its customer data sufficiently seriously.

這一系列事件令人嚴重質疑雅虎的管理以及該公司是否足夠嚴肅地對待客戶數據安全。

Before 2014, security experts claim the company was still using outdated and vulnerable encryption systems.

在2014年以前，安全專家宣稱，雅虎仍在使用過時而且易遭受攻擊的加密系統。

For a company which then had 1bn users on its network, this suggests an uncomfortably lax security culture.

對一家當時有10億用戶的公司來說，這暗示該公司的安全風氣鬆懈得令人不安。

Given the scale and wealth of the Yahoo organisation, lack of resources cannot be seen in any way as an excuse.

鑑於雅虎組織龐大的規模和財富，它無論如何都不能把缺乏人力或物力作爲藉口。

No less concerning is the company’s behaviour in the wake of the discovery of the breach.

同樣令人擔心的是該公司在發現黑客入侵之後的行爲。

Marissa Mayer, its chief executive, was made aware in July that a breach was being investigated but it is unclear precisely when Yahoo became aware of the scale of the problem.

雅虎首席執行官瑪麗薩•邁耶(Marissa Mayer)在今年7月被告知，雅虎正在調查一起黑客入侵事件，但目前並不清楚，雅虎是何時知曉問題的嚴重程度的。

In early September, however, the company declared in a securities filing that it had no knowledge of any incidents of security breaches, unauthorised access or unauthorised use of its systems.

然而，今年9月初，該公司在一份證券備案文件中宣佈，它不知道存在任何（這樣的）事件，即其系統的安全屏障被攻破、（系統）被未授權訪問或使用。

Its merger partner Verizon will no doubt be interested to learn more about what exactly the company knew when it delivered those words.

正與雅虎商談合併事宜的合作伙伴Verizon肯定有興趣進一步瞭解，雅虎在發表上述言論時到底瞭解多少信息。

This week’s disclosures do little for Yahoo’s already diminished reputation.

上週披露的事件對雅虎已經下滑的聲譽毫無幫助。

Its future must now be in jeopardy, as could the Verizon deal.

雅虎的前景現在肯定面臨危險，與Verizon的交易可能也是如此。

But the repercussions may well go beyond Yahoo.

然而，該事件的影響範圍很可能遠遠超越雅虎。

With many users having the same passwords on multiple platforms, consumers are justifiably worried that the data breach might lead to their accounts at other sites being compromised.

很多用戶在多個平臺的密碼相同，消費者有理由擔心，此次數據泄露可能導致他們在其他網站的帳戶受到連累。

If a company whose business is at the very heart of the world wide web has insufficient security, what other sites and services may be similarly vulnerable.

如果一家其業務處於萬維網最核心位置的公司都不能提供足夠的安全保障，那麼其他網站和服務可能也容易受到攻擊。

Regulators need to stress both the importance of vigilance and of the speed with which companies disclose breaches so that systemic weaknesses can be avoided.

監管機構需要強調企業保持警惕以及及時披露數據泄露事件的重要性，這樣才能避免系統性薄弱。

Officials in the UK and Ireland, where Yahoo has its European headquarters, have already asked the US technology group to supply more details about the cyber attack.

英國和愛爾蘭的官員已要求這家美國科技集團提供此次黑客攻擊的更多細節。雅虎的歐洲總部設在愛爾蘭。

Yahoo is the victim of a serious crime.

雅虎是一樁嚴重罪行的受害者。

But the lessons will go far beyond the company.

但這一事件帶來的教訓要遠遠超越該公司。