Leaks, breaches and cyberattacks: the biggest hacks of 2014

Loopholes were exploited and security barriers toppled as hackers reigned in 2014. Multinational corporations, celebrities and government websites all fell victim to cyberattacks.

Let’s face it, nowadays it takes more than run-of-the-mill password protection to stay secure -- especially when the most common password is "123456" -- to keep private data safe.

Here are the cyberattacks of significance this year.

Heartbleed infects the CRA

With a name like Heartbleed, it is hard to picture anything but the all-too-common Hollywood trope of a "nerd" typing frantically at a Matrix-esque black and green screen.

Last April, the computer bug that exploits a flaw in widely-used encryption software was responsible for allowing a hacker to access taxpayer data from the Canada Revenue Agency.

The breach saw around 900 SINs stolen from the CRA’s system over a six-hour period, and the agency’s website was down for four days as a "precautionary measure."

On April 15, the RCMP charged 19-year-old Stephen Arthuro Solis-Reyes. Solis-Reyes is a computer science student at Western University, where his father is also a computer science professor specializing in data mining.

----

NRC gets caught phishing

In December, the Canadian government said that Chinese hackers were responsible for a cyberattack against the National Research Council back in July.

The feds claimed the Chinese government baited employees to install malware on government computers, allowing them to get access to valuable data, such as usernames and passwords.

This allowed hackers to connect the research council system to their computers abroad.

Although it wasn’t quite on the same level of government-versus-government cyber warfare as when the U.S. and Israel teamed up to create Stuxnet which reportedly destroyed roughly a fifth of Iran’s nuclear centrifuges in 2011, Chinese hackers may have been attempting to steal sensitive information from the council.

The NRC carries out advanced research in fields including aerospace, health, mining and physics.

----

The "Fappening"

In September, nude photos of more than 100 celebrities, including Oscar-winning actress Jennifer Lawrence, model Kate Upton and actress Mary Elizabeth Winstead were leaked online and posted to social media websites such as Reddit and 4Chan.

This was only the beginning as there were reportedly another two waves of similar incidents in the months to follow of the so-called "Fappening." The name is a reference to the 2008 film "The Happening" combined with the term "fap", which colloquially means to masturbate.

Other celebrities like singer Rihanna, reality TV star Kim Kardashian, model Emily Ratajkowski, and actresses Vanessa Hudgens, Mary-Kate Olsen, Gabrielle Union, Anna Kendrick and Hayden Panettiere were also affected.

The fallout from attack was massive.

Google was threatened with a $100-million lawsuit by celebrity lawyers for allegedly circulating the photos and "making millions from the victimization of women."

The hack also sparked a debate around Internet privacy, as Reddit banned the subreddit "TheFappening." Jennifer Lawrence and many others urged authorities to step in, calling the incident "a sex crime."

The identity of the hackers responsible for the leaks have yet to be determined and the FBI is reportedly investigating. But we do know that the infamous hacker 4Chan is not responsible.

----

Home Depot springs a leak

Just by activating security software, the data of as many as 56 million credit cards may have been protected from a cyberattack.

Instead, credit card data as well as email addresses of Home Depot customers in the U.S. and Canada was put at risk when their systems were compromised. The data leak was revealed in September, but may have begun as early as April.

The U.S.-based retailer, which has more than 2,000 locations across five countries and nearly $79 billion in annual revenue, confirmed the breach on Sept. 8, almost a week after customer credit card data was put up for sale on Rescator.cc.

According to Business Week, internal Home Depot documents suggested that security contractors told the company to beef up its cyberdefences by activating a security key, which may have added an extra line of defence against malicious software designed to target retail terminals.

However, the company chose to keep the security measure deactivated. Internal documents suggest that the program sometimes generated false positives.

Home Depot wasn’t the only major U.S. retailer to report a large compromise in 2014, the list includes: Michaels, Neiman Marcus, UPS, Goodwill, P.F. Chang's and Sally's Beauty Supply.

----

Ottawa goes bananas for hacktivists Aerith

Web users who visited Ottawa.ca on Nov. 21st were treated to an impromptu performance by a "dancing banana" and a note that read "You have been hacked by @AerithXOR."

Aerith claimed to be responsible for a string of attacks on government websites in response to the arrest of an Ottawa teen accused of "swatting," or calling 9-1-1 and faking emergencies in order to lure tactical police teams.

The group alleged the 16-year-old is innocent, and said it had proof that evidence was "manufactured" by police investigators.

In a series of attacks over the next three days, Aerith also took down the Ottawa police website, the Toronto Police Services website and Laval.ca.

----

An 'act of war'?

In December, a group of hackers referring to themselves as the Guardians of Peace infiltrated Sony Pictures Entertainment and leaked an estimated 100 terabytes of data.

The incident came months after North Korea called the release of the “The Interview” an "act of war," and promised "stern" and "merciless" retribution.

The FBI pointed its finger at North Korea, saying there are similarities between the Sony cyberattack and past "malicious cyber activity" connected directly to North Korea.

Speculation was rampant that the break-in was perpetrated by the isolated nation in response to the Sony-produced comedy "The Interview," about a CIA plot to assassinate Kim Jong Un.

Pyongyang denied responsibility, but also referred to the attack as a "righteous deed."

Sony initially shelved the Christmas Day release of "The Interview" due to threats of a terrorist attack, but later made the film available on a number of online streaming services.

Hackers praised Sony’s decision to pull the plug on the film's theatrical release, telling the studio in an email that the decision was "very wise" and saying its data would be safe "as long as you make no more trouble."

The breach has been followed by a firestorm of controversy, which has proven to be "Nazzo Good," like the alias of Rob Schneider whose fake name, along with that of a number of other Hollywood celebrities, was made public in the hack.

Five movies, four of them unreleased, were leaked to pirating websites: "Fury," "Annie," "Still Alice," "Mr. Turner" and "To Write Love on Her Arms."

A list of Sony executives' salaries and private email exchanges were also made public.

The details of several of these exchanges have put people like Sony’s co-chair, Amy Pascal, and Oscar-winning producer Scott Rudin in hot water over their remarks. Pascal apologized for "insensitive and inappropriate" comments in her emails about U.S. President Barack Obama’s presumed taste in movies. While Rudin was criticized for calling Angelina Jolie a "minimally talented spoiled brat."

Perhaps the most embarrassing detail to surface in the aftermath of the attack was that Sony kept a trove of company passwords, virtually gift wrapped and tied with ribbon for hackers with the label "Password" in their system’s file directory. The directory contained files with thousands of passwords to Sony’s internal computers, social media accounts and web service accounts.