1k Data Breaches Later, the Disclosure Lag Is Worse

经历 1000 次数据泄露后，披露延迟问题愈演愈烈

Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in the 12 and a half years since I started HIBP, what possible purpose does it still serve? The title kinda gives the answer away, and the big number we hit today coincided with another pattern that makes everything worse: increasingly long lag times for disclosure.

今天，我将第 1000 起数据泄露事件录入了“Have I Been Pwned”(HIBP)。回顾这个里程碑式的数字，我思考着该如何以文字纪念这一时刻，脑海中立刻浮现出一个简单的问题：为什么这个网站依然有存在的必要？特别是在我创办 HIBP 的 12 年半里，GDPR 和 CCPA 等隐私法规相继出台，它还能起到什么作用？标题其实已经给出了答案，而我们今天达到的这个大数字，恰好与另一个让情况变得更糟的趋势不谋而合：数据泄露的披露延迟时间越来越长。

This is all going to be anecdotal, and as far as I know, there are no hard numbers for me to cite, but the evidence is everywhere. Here’s what I mean:

虽然这些观察大多基于个人经验，据我所知也没有确凿的数据可以引用，但证据随处可见。我的意思是：

(Tweet content omitted for brevity)

That was the 24th of April, five days after news of the incident had broken. Given ShinyHunters’ MO, Carnival would have known about the breach many days before they ratcheted up extortion pressure by announcing the impending leak on their website. The subsequent leak on the 24th was very public: an announcement was posted to the group’s dark-web site, the data itself was published to their clear-web site, and industry commentary followed.

那是 4 月 24 日，距离事件消息传出已经过去了五天。考虑到 ShinyHunters 的作案手法，嘉年华邮轮（Carnival）在通过网站宣布即将泄露数据以加大勒索压力之前，肯定早已知晓了此次泄露。随后的 24 日泄露事件非常公开：该组织在暗网网站上发布了公告，数据本身也被发布到了他们的明网网站上，随后引发了行业评论。

Per that last post, the data was then reposted to all sorts of other places: hacking forums, Telegram channels, and who knows how many other, more private locations. The point is that it spread quickly, extensively, and, without any shadow of a doubt, Carnival were aware of this. They then told people about it on the 27th… of May. According to their press release that same day, this was 43 days after learning about the incident. For more than 6 weeks, data breach victims whose names, dates of birth, email addresses, loyalty program details and, of course, their association with Carnival leaked to the public en masse had absolutely no idea of their exposure. And if they asked Carnival about it? Well:

根据最后那条帖子，这些数据随后被转发到了各种地方：黑客论坛、Telegram 频道，以及谁也不知道的其他更私密的场所。重点是，数据传播得既快又广，而且毫无疑问，嘉年华邮轮对此是知情的。然而，他们直到 5 月 27 日才通知用户。根据他们当天发布的新闻稿，这距离他们获悉事件已经过去了 43 天。在超过 6 周的时间里，那些姓名、出生日期、电子邮件地址、忠诚度计划详情，当然还有他们与嘉年华邮轮关联的信息被大规模泄露的受害者，对自己的信息泄露一无所知。如果他们去询问嘉年华邮轮呢？结果是这样的：

So, why the delay? Last week’s press coverage may give some insight: “thorough and time-consuming analysis of the impacted data.” Often, the reason I hear for disclosure lag is “we needed to fully assess the scope of exposed data before notifying people”. The issue I have with this position is that it implies that even an early heads-up can’t happen until there’s a very comprehensive understanding of the impact. There are many things that take time to establish after a data breach: the jurisdiction each individual sits in, the precise data that was exposed about them and additional information that may be buried in terabytes of exfiltrated data in all sorts of different formats. But pulling out email addresses and sending early notification is very easy - I’ve literally done it a thousand times now.

那么，为什么会有延迟？上周的新闻报道或许能提供一些见解：“对受影响数据进行彻底且耗时的分析”。我经常听到的披露延迟理由是“我们需要在通知用户之前全面评估泄露数据的范围”。我对这种立场的质疑在于，它暗示在对影响有非常全面的了解之前，甚至连初步的预警都无法发出。数据泄露后，确实有很多事情需要时间来确定：每个人所处的司法管辖区、关于他们泄露的具体数据，以及可能埋藏在各种格式的数 TB 被窃数据中的额外信息。但是，提取电子邮件地址并发送初步通知是非常容易的——我本人已经做过一千次了。

This isn’t just a Carnival issue; in fact, it was off the back of this next one only a few days later that I was prompted to write this post: FFS. 45 days. Even worse than Carnival. And like Carnival, very broadly distributed and easily accessible by the masses, including HIBP.

这不仅仅是嘉年华邮轮的问题；事实上，正是几天后发生的下一件事促使我写下了这篇文章：该死。45 天。比嘉年华邮轮更糟糕。而且和嘉年华邮轮一样，数据被广泛传播，大众（包括 HIBP）都能轻易获取。

I have a working theory that the disclosure lag is worsening in part due to the proliferation of class actions immediately following a breach. In my live stream last weekend, I did a quick search for the DentaQuest breach: Three of the first four results are all for class actions related to the breach, and there are two more class action results a little further down the page. I’ve been raising concerns about the adverse impact of class actions for many years now, and it’s worse than I’ve ever seen. By a big margin, too.

我有一个推测：披露延迟加剧的部分原因，是数据泄露后随之而来的集体诉讼激增。在上周末的直播中，我快速搜索了 DentaQuest 的泄露事件：前四个结果中有三个都是与该泄露相关的集体诉讼，页面下方还有两个相关的集体诉讼结果。多年来，我一直对集体诉讼的负面影响表示担忧，而现在的情况比我以往见过的任何时候都要糟糕，而且差距巨大。

It’s not just me observing how the behaviour of these orgs appears to be influenced by how lawyers will respond, either. Have a read of this post from Roby Joyce after he learned about his exposure in the ZenBusiness breach via HIBP. What especially caught my eye was this sentence: “That is not a customer-protection posture. That is a litigation posture.”

不仅是我观察到这些机构的行为似乎受到了律师应对方式的影响。请读读 Roby Joyce 在通过 HIBP 得知自己在 ZenBusiness 泄露事件中受影响后写的这篇文章。特别引起我注意的是这句话：“这不是一种保护客户的姿态，这是一种诉讼姿态。”

This isn’t about prioritising the customer, it’s about protecting the organisation. I don’t think most people understand that organisational accountability really lies with their shareholders, first and foremost. All the pleasantries around “customers are our number one priority” and “we take security seriously” are all secondary to shareholder happiness, and minimising the chances of getting their arses sued into oblivion is a big part of that.

这无关乎优先考虑客户，而是为了保护组织自身。我认为大多数人并不明白，组织的问责制首先且最重要的是对股东负责。所有关于“客户至上”和“我们认真对待安全”的客套话，在股东利益面前都是次要的，而尽量减少被起诉到破产的风险，是其中的重要组成部分。

Which brings me to the next problem as it relates to disclosure lag: it may be infinite. By which I mean you may never be told. Ever. GDPR allows it. CCPA allows it. Whatever your local privacy regulation…

这就引出了与披露延迟相关的下一个问题：延迟可能是无限的。我的意思是，你可能永远都不会被告知。永远不会。GDPR 允许这样做，CCPA 也允许这样做。无论你当地的隐私法规是什么……