From start to finish, 2014 was chock-full of embarrassing security failures. Executives' emails, starlets' nude photos and your credit-card numbers all got into the hands of bad people who seemed to run rampant over the Internet without restraint.
The sad fact is that many of these failures could have been avoided. Each of our top five flubs was made possible by a lapse in judgment or oversight.
Snapchat should have listened to the white-hat hackers who alerted the company to problems with its apps. Sony Pictures should have noticed terabytes of information escaping from its servers. Apple should have studied how Google and Facebook protected their users' online data. Home Depot should have studied the Target data breach to learn what not to do. And open-source software coders should have reviewed the security protocols whose flaws came to be known as Heartbleed and Shellshock.
Here's hoping that 2014's hard-learned lessons lead to a less eventful 2015. In the meantime, here are our top five security fails of the past year.
The ephemeral-messaging service Snapchat celebrated New Year's Day 2014 with a massive data breach it could have avoided. More than 4 million username-and-phone-number combinations were uploaded to the Internet, a small slice of Snapchat's tens of millions of users. The credentials were gathered using methods Snapchat had been alerted to back in August 2013, but didn't fully address. Just before the breach, Snapchat executives had dismissed the threat as "theoretical."
Snapchat went on to suffer more security woes in 2014, such as the October "Snappening" that saw hundreds of supposedly deleted photos and videos taken by Snapchat users posted online. The company even had its business secrets revealed in December, when emails written by Sony Pictures CEO Michael Lynton, who sits on Snapchat's board, were leaked as part of the Sony Pictures hack (see below).
Heartbleed, Shellshock and POODLE
Much of the Web's security is handled by free, open-source protocols maintained by a handful of unpaid volunteers. Nevertheless, people were shocked in April when a devastating flaw, quickly dubbed "Heartbleed," was discovered in the OpenSSL code library, which encrypts communications between Web servers and Web browsers. The flaw had been accidentally introduced by a German coder on New Year's Eve of 2011. The discovery of Heartbleed prompted a closer look at other open-source security protocols, leading to the uncovering of the Shellshock flaw in the Bash command-line interface in September and the POODLE vulnerability in the SSL protocol in October.
Apple iCloud, Celebrity Nude Breach
Labor Day weekend was disastrous for Jennifer Lawrence, Kate Upton and a hundred other young starlets as nude photos they'd privately taken of themselves started appearing online. The data dump offered a peek at a thriving underground trade in nude selfies, many of which were obtained by easily bypassing Apple's online security to access other people's automatically created iCloud backups of iPhone photos. Apple blamed the breach on sloppy user practices, but then tightened iCloud security two weeks later.
Home Depot Data Breach
Rumors that payment-card data had been stolen from Home Depot stores first appeared Sept. 2, yet the company took nearly a week to admit that anything had gone wrong. In the end, it turned out that 56 million credit and debit cards, and 53 million customer email addresses, had been compromised due to malware that infected company-wide payment systems in both the United States and Canada. Surprisingly, there was no corresponding media panic like that around Target's similar data breach nine months earlier; experts ascribed the public apathy to "breach fatigue."
Sony Pictures Entertainment Database Theft
On Nov. 24, staffers at Sony Pictures Entertainment, the television- and movie-producing division of Sony, had their computer screens hijacked by a grinning skull. Within days, gigabytes of internal Sony Pictures data began to appear online, including actors' and executives' Social Security numbers, corporate emails, unpublished scripts, financial and legal information, and even four entire unreleased Sony movies.
The data breach placed 47,000 staffers, freelancers and former employees at risk of identity theft, and rival Hollywood studios got details of Sony Pictures' finances and future plans. As of this writing, new data was being leaked daily, along with vague threats that caused five national cinema chains to pull bookings for a Sony movie.
U.S. officials blamed North Korea for the data theft, while security experts suspected disgruntled insiders. Whatever the cause, the incident threatens Sony Pictures Entertainment as a company and may be the most damaging corporate data breach ever.