Two Hacks, One Empire: The Cyber Assaults Disney Didn’t See Coming

Disney was deed by 2 awesome 2024 cyberattacks, an ex-employee’s sabotage and a hacker’s AI trap, exposing soul flaws and stealing 1.1TB of delicate data.

In 2 unrelated incidents, The Walt Disney Company has recovered itself nan target of awesome cyber attacks from disgruntled erstwhile employees and outer malicious actors. These cases, unfolding successful 2024, impact a scope of damaging activities, from paper sabotage to large-scale theft of confidential data.

One of these incidents progressive Michael Scheuer, a erstwhile paper accumulation head astatine Walt Disney World. Following his termination for misconduct successful June 2024, Scheuer launched a integer run of sabotage against his erstwhile employer. He illegally accessed Disney‘s soul paper creation strategy for parkland restaurants and made vulnerable alterations.

These included falsely labelling nutrient items containing peanuts arsenic “peanut-free,” a alteration that could person had life-threatening consequences for individuals pinch peanut allergies. Strangely, Scheuer’s VPN IP reside scope matched his usage while employed, which should person been terminated.

Furthermore, Scheuer tampered pinch vino region labels, referencing locations of caller wide shootings, altered prices, inserted violative language, replaced QR codes pinch links to a website advocating for a boycott of Israel owed to nan Gaza invasion, and moreover changed nan paper font to nan symbolic Wingdings typeface, rendering nan strategy inoperable. Fortunately, Disney detected these changes earlier they impacted customers. 

Scheuer besides deployed a bot designed to many times effort logins to astatine slightest 14 worker accounts, efficaciously rendering their accounts unusable. A “dox” files recovered connected his machine contained nan personally identifiable accusation (PII) of his targets, indicating an intent to intimidate/harass them. Arrested successful October 2024, Scheuer pleaded guilty and expressed remorse. Prosecutors advocated for a 70-month situation sentence, but Scheuer was sentenced to 3 years and ordered to salary astir $688,000 successful restitution.

In a abstracted incident, a California resident Ryan Mitchell Kramer, 25, nether nan othername NullBulge, pleaded guilty to “one count of accessing a machine and obtaining accusation and 1 count of threatening to harm a protected computer” for hacking a Disney employee.

For your information, Kramer hacked a Disney worker by distributing a malicious AI image procreation instrumentality hold connected GitHub successful April 2024, arsenic reported by Hackread.com. This clone extension, ComfyUI_LLMVISION, stole passwords and costs data, sending it to Kramer’s Discord server, revealed vpnMentor. The embedded files were named aft salient AI companies, OpenAI and Anthropic. Eventually, he gained entree to backstage Disney Slack channels and, by May, downloaded 1.1 terabytes of confidential data.

After posing arsenic a hacktivist and receiving nary response, Kramer publically released nan stolen Disney worldly and employee’s individual banking, medical, and different backstage details. Court documents revealed that astatine slightest 2 different individuals had besides installed Kramer’s malicious software, granting him unauthorized entree to their computers and accounts arsenic well. Kramer is expected to look successful tribunal successful nan coming weeks.

The consequences of these breaches scope from imaginable harm to customers and reputational harm to nan important discuss of delicate data, highlighting nan request to instrumentality stronger cybersecurity measures, including stringent entree controls, continuous monitoring of web activity, and employee training connected identifying and avoiding societal engineering tactics.