Further review of the information leaked in the recent Disney data breach has turned up sensitive and detailed financial and business strategy information, according to a new report from the Wall Street Journal. The leak also contains sensitive personal information of Disney Cruise Line employees and more basic contact information for some passengers, along with employee login credentials for some parts of the company’s internal cloud infrastructure.
The Disney data breach turned up in mid-July, and has been difficult to thoroughly examine as it contained over a terabyte of data captured from the company’s thousands of internal Slack channels (a total of some 44 million messages). The data was dumped to a torrent by a hacking group styling themselves as digital activists who attack companies that farm out creative jobs to AI systems.
Disney data breach update brings more bad news for employees and job applicants
First made public on July 15, the initial assessment of the Disney data breach found that it exposed a variety of potentially sensitive business information: staff discussions about the technologies used in various aspects of the media empire, marketing campaigns and even details about future projects. But the extent of exposed PII at the time was unclear, with only passing references to information about job applicants being included and the tranche of data dating back to at least 2019.
It now appears that Disney Cruise Lines, which has terminals in Florida and the Bahamas and offers trips to locations throughout the world, was one of the most impacted divisions. The report said that some cruise staff had passport numbers, places of birth, visa information and residential addresses exposed. An additional spreadsheet found in the leak contained names, phone numbers and addresses for some cruise customers.
The Disney data breach also reportedly contained more sensitive internal business information than was initially discovered. This includes detailed revenue reports for assorted products offered by both Disney and ESPN (such as their “+” subscription streaming services and the Genie+ park pass program) and internal discussions about handling the response to Florida’s Parental Rights in Education law.
Prior to the WSJ report, the best public source of information about the Disney data breach was a mandatory SEC filing posted about a month ago. Disney has issued a statement calling the recent WSJ report “unverified” information, but seemed to take issue more with how it was obtained rather than its veracity. Reporters and security analysts with the WSJ spent the past few weeks poring over some 18,880 spreadsheets and 13,000 PDFs to determine the exact level of damage of the leak, in lieu of Disney volunteering similar details to the public.
Still unclear if Disney data breach was “hacktivism” or a shakedown
“Nullbulge” is a relatively new hacking group that had little history prior to the Disney data breach, and the WSJ report sheds little new light on that subject. The group has consistently claimed to be from Russia, but the reporters are now speculating it may be as little as just one person based in the United States.
What remains not totally clear is if the leak was actually some sort of genuine attempt at hacktivism, or if it was an extended and indirect shakedown attempt of some sort. Nullbulge claims to attack only companies that use AI to replace the jobs of creative workers, promote cryptocurrency, or steal money. The group previously attacked several AI tools and platforms in May and June of this year, attempting to insert malicious code into publicly available GitHub repositories. It has also distributed mods for video games and modeling software that contain trojans, an apparent means of obtaining employee login credentials to attack bigger fish.
NullBulge has been linked to an older group called AppleBotzz that engaged in similar attack campaigns, but has publicly denied being the same people and has claimed they took over some accounts formerly used by AppleBotzz. That group has previously been observed deploying a custom version of the Lockbit 3.0 ransomware.
The threat actor appears to have initiated the Disney data breach by compromising an employee personal device via one of its trojan-infected mods. It then extorted the employee into providing it access to the company Slack channels. One of the big questions still unanswered in this case is how the group hit upon one employee with such far-reaching access across the company. The group maintains several different data leak sites that seed torrents of its stolen material as well as an active presence on X and 4Chan.
Some security analysts have speculated that the group is quietly seeking a payment from Disney, possibly having secured deeper access to its internal networks or sitting on further unreleased materials, given the scale and effort required and the unlikely scenario of a Russian hacking group punishing an American company for cutting largely American jobs. The group may be claiming to be Russian in a bid to deflect attention by US law enforcement agencies.
