A Yahoo logo in Rolle, Switzerland. Picture:  REUTERS/DENIS BALIBOUSE
A Yahoo logo in Rolle, Switzerland. Picture: REUTERS/DENIS BALIBOUSE

TAIPEI — It’s funny because it’s true.

Claiming a hack was launched by a foreign government is the ultimate get-out-of-jail-free card for embarrassed corporate executives.

Yahoo said on Thursday that a massive attack on its network in 2014 allowed hackers to steal data from half a billion users.

Yahoo, which confirmed details of the breach months after reports of a major hack, said its investigation concluded that "certain user account information was stolen" and that the attack came from "what it believes is a state-sponsored actor".

READ THIS: Yahoo says at least 500-million accounts hacked in 2014

Yahoo’s announcement sums up the ridiculous attitude so many in management (and in public relations) take towards cyber security. In blaming a "state-sponsored actor," Yahoo seems to be trying to tell us "there’s nothing we could do". JPMorgan tried a similar tactic, with little success, after a 2014 hack.

It’s as if foreign governments are expected to be able to breach any firm’s cyber-security measures, and corporations should be forgiven.

That’s bunkum.

Cyber security is one of the few areas where victim-blaming might be considered acceptable, and by victim, I mean the companies.

In reality, the real victims are the customers, because little downside ever seems to visit the corporations, or their executives.

I know I’m going out on a limb here, but by implying a hack is state-backed, and thus couldn’t be stopped, corporations are by extension blaming users themselves. That’s not acceptable.

Obfuscation aside, it may not be an entirely stupid move to blame a nation like China, Russia, North Korea or the US. (Come on, if you’re pointing fingers don’t leave anyone out!)

You see, a state-backed hack may be better news than a nongovernment attack. Crazy, I know, but hear me out.

Yahoo accounts violated: 500 million

If a government is hacking your service provider, it’s more likely to be looking for strategically valuable information, or a way to extract information from a strategically valuable person.

If you’re an average Joe teaching gym at the local high school you’re probably not on the hacker’s radar. If you’re a White House staffer sending POTUS’s private schedule — or nuclear launch codes — to your Yahoo Mail account, then you’re SOL.

A nongovernment hacker is probably in it for commercial reasons. Stealing credentials en masse to sell to the highest bidder is just one business model. And since buyers know that even coach Joe has a credit card, that’s valuable information.

There’s nothing to suggest a state-sponsored hacker isn’t also in it for commercial reasons — heck, a bit of ransomware would be a great way to fund the office Christmas party — but that’s not usually their primary purpose.

At the same time, remember that state-sponsored and commercial hacks aren’t mutually exclusive.

While Yahoo’s position in the global internet economy is declining, its legacy status and massive e-mail base make this breach important, and damaging.

Blaming it on a state-sponsored actor looks suspiciously like PR spin, but the alternative could be worse.

NOW READ THIS: NEWS ANALYSIS: Pointing fingers is risky for US after hack

• This column does not necessarily reflect the opinion of Bloomberg and its owners.

Bloomberg