More information about the July Disney data breach is available as Wall Street Journal reporters have examined the gigantic set of about 44 million Slack messages, including some 18,880 spreadsheets and 13,000 PDF files. Some of the key pieces of their findings include personal information for Disney Cruise Line staff and passengers, and financial reports on the company’s assorted video streaming and park pass services (something of a big deal as these numbers are generally not released to the public).
There is also a scrap or two of new information on the perpetrators, the self-styled hacktivist group calling itself “NullBulge,” but the true motivation for the attack remains in question.
Size, location and motivation of Disney data breach perps called into question
NullBulge first surfaced around May of this year, and has a limited and mixed record of hacking actions that calls into question its claim of being focused on “hacktivism.” One new piece of information is that the group may not be from Russia (as it claims), and that it may not even be a group; the WSJ reporters think it’s possible that it is a lone individual based in the United States.
Security analysts had already been speculating that the Disney data breach was a low-key attempt to extort the company, despite NullBulge’s claim that the attack was retribution for the company’s increasing use of AI in its commercial art. The group claims it attacks companies that commit the “sins” of replacing jobs with AI, using or promoting cryptocurrency, or stealing money, none of which make much sense for Russian hackers targeting foreign firms.
The group did get its start by targeting several AI tool projects on GitHub, attempting to slip malicious code into them. However it has also been observed selling infostealer logs for profit, and an older group it appears to have ties to has attacked victims with Lockbit 3.0 ransomware.
Disney has yet to release much public comment on the event, beyond a mandatory SEC filing that became available about a month ago. This has created natural speculation that there is even more depth to the Disney data breach, with the hackers potentially negotiating with the company to prevent the release of even more information. The WSJ report has verified that employee login credentials were included in the stolen Slack messages, creating the possibility that the hackers moved even further into the company network.
Disney Cruise Lines employees should take appropriate precautions
At the moment, reporters and security researchers only indicate that a database of Disney Cruise Lines customers was found that contains basic contact information such as home addresses and phone numbers. The news is worse for employees of the division, who may have had passport and visa details exposed along with their home addresses and places of birth.
In terms of leaked business information, the headline item of the Disney data breach is now revenue numbers from the company’s streaming services (such as Disney+ and ESPN+) and the relatively new Genie+ park pass program (even more recently changed to “Lightning Lane”). The company usually keeps these numbers under wraps. The leaked Slack messages also included exchanges about staff sentiment and the company’s planned response to Florida’s Parental Rights in Education law.