5 Worst Security Fails of 2014

Credits: Columbia Pictures; Jaguar PS/Shutterstock. Composite image by Tom's Guide.

Credits: Columbia Pictures; Jaguar PS/Shutterstock. Composite image by Tom's Guide.

From start to finish, 2014 was chock-full of embarrassing security failures. Executives' emails, starlets' nude photos and your credit-card numbers all got into the hands of bad people who seemed to run rampant over the Internet without restraint.

The sad fact is that many of these failures could have been avoided. Each of our top five flubs was made possible by a lapse in judgment or oversight.

Snapchat should have listened to the white-hat hackers who alerted the company to problems with its apps. Sony Pictures should have noticed terabytes of information escaping from its servers. Apple should have studied how Google and Facebook protected their users' online data. Home Depot should have studied the Target data breach to learn what not to do. And open-source software coders should have reviewed the security protocols whose flaws came to be known as Heartbleed and Shellshock.

Here's hoping that 2014's hard-learned lessons lead to a less eventful 2015. In the meantime, here are our top five security fails of the past year.

MORE: 10 Biggest Tech Fails of 2014


Why you can trust Tom's Guide Our writers and editors spend hours analyzing and reviewing products, services, and apps to help find what's best for you. Find out more about how we test, analyze, and rate.

The ephemeral-messaging service Snapchat celebrated New Year's Day 2014 with a massive data breach it could have avoided. More than 4 million username-and-phone-number combinations were uploaded to the Internet, a small slice of Snapchat's tens of millions of users. The credentials were gathered using methods Snapchat had been alerted to back in August 2013, but didn't fully address. Just before the breach, Snapchat executives had dismissed the threat as "theoretical."

Snapchat went on to suffer more security woes in 2014, such as the October "Snappening" that saw hundreds of supposedly deleted photos and videos taken by Snapchat users posted online. The company even had its business secrets revealed in December, when emails written by Sony Pictures CEO Michael Lynton, who sits on Snapchat's board, were leaked as part of the Sony Pictures hack (see below).

Heartbleed, Shellshock and POODLE

Much of the Web's security is handled by free, open-source protocols maintained by a handful of unpaid volunteers. Nevertheless, people were shocked in April when a devastating flaw, quickly dubbed "Heartbleed," was discovered in the OpenSSL code library, which encrypts communications between Web servers and Web browsers. The flaw had been accidentally introduced by a German coder on New Year's Eve of 2011. 

The discovery of Heartbleed prompted a closer look at other open-source security protocols, leading to the uncovering of the Shellshock flaw in the Bash command-line interface in September and the POODLE vulnerability in the SSL protocol in October.

MORE: Best Antivirus Software

Apple iCloud Celebrity Nude Breach

Labor Day weekend was disastrous for Jennifer Lawrence, Kate Upton and a hundred other young starlets as nude photos they'd privately taken of themselves started appearing online. The data dump offered a peek at a thriving underground trade in nude selfies, many of which were obtained by easily bypassing Apple's online security to access other people's automatically created iCloud backups of iPhone photos. Apple blamed the breach on sloppy user practices, but then tightened iCloud security two weeks later.

MORE: Best Mac Antivirus Software

Home Depot Data Breach

Rumors that payment-card data had been stolen from Home Depot stores first appeared Sept. 2, yet the company took nearly a week to admit that anything had gone wrong. In the end, it turned out that 56 million credit and debit cards, and 53 million customer email addresses, had been compromised due to malware that infected company-wide payment systems in both the United States and Canada. Surprisingly, there was no corresponding media panic like that around Target's similar data breach nine months earlier; experts ascribed the public apathy to "breach fatigue."

Sony Pictures Entertainment Database Theft

On Nov. 24, staffers at Sony Pictures Entertainment, the television- and movie-producing division of Sony, had their computer screens hijacked by a grinning skull. Within days, gigabytes of internal Sony Pictures data began to appear online, including actors' and executives' Social Security numbers, corporate emails, unpublished scripts, financial and legal information, and even four entire unreleased Sony movies.

The data breach placed 47,000 staffers, freelancers and former employees at risk of identity theft, and rival Hollywood studios got details of Sony Pictures' finances and future plans. As of this writing, new data was being leaked daily, along with vague threats that caused five national cinema chains to pull bookings for a Sony movie.

U.S. officials blamed North Korea for the data theft, while security experts suspected disgruntled insiders. Whatever the cause, the incident threatens Sony Pictures Entertainment as a company and may be the most damaging corporate data breach ever.

MORE: Best Android Antivirus Apps

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Any other epic security fails you'd have included? Let us know in the comments.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.