An activist hacking group claimed it leaked thousands of Disney’s internal messaging channels (roughly 1.2 terabytes of information), which included information about unreleased projects, raw images, computer codes and some logins.
Nullbulge, the “hacktivist group,” claimed responsibility for the breach in a blog post. It said it published data from thousands of Slack channels at the entertainment company, including computer code and details about unreleased projects. Slack is widely used within large companies for group communications about strategic initiatives.
The group claimed it gained access through “a man with Slack access who had cookies,” and it claimed the group was based out of Russia.
“The user was aware we had them, he tried to kick us out once but let us walk right back in before the second time,” the group said. It also stated that it wants to protect artists’ rights and compensation for their work, especially in the age of artificial intelligence, and that it was challenging the company’s “blatant disregard for the consumer.”
In June, the group posted on X what appears to be visitor, booking and revenue data at Disneyland Paris that it claimed to have obtained from the company’s Slack channels.
Material included conversations about maintaining Disney’s corporate website, software development, assessments of candidates for employment, programs for emerging leaders within ESPN, and photos of employees’ dogs, with data stretching back to at least 2019.
The group said it leaked the data because it believed that Disney would not respond to any kind of ransom demand. “If we said ‘Hello Disney, we have all your Slack data,’ they would instantly lock down and try to take us out. In a duel, you better fire first,” a spokesperson said.
Hacker has a beef with AI
Nullbulge bills itself as a hacktivist group that advocates for artist rights and chooses its targets based on a set of social, economic or political values. A spokesperson for the group said via an online message that it targeted Disney “due to how it handles artist contracts, its approach to AI, and it’s [sic] pretty blatant disregard for the consumer.”
Nullbulge had been hinting at the giant release for the past few weeks on its social media; in June, the group posted on X what appears to be visitor, booking and revenue data at Disneyland Paris that it claimed to have obtained from the company’s Slack channels.
The hacker is committing an unequivocally extreme and illegal act here – but in doing so it is showcasing some of the fears that people in the entertainment sector are feeling when it comes to generative AI.
During the strikes that involved employee members of the Screen Actors Guild and the Writers Guild of America, artificial intelligence was among the points that were difficult to reach agreement on. Actors feared that computer-generated images could replace them and be reused, while writers were afraid about ChatGPT’s affect on scriptwriting.
Their fears might not be far-fetched: In June 2023, Marvel showcased titles – opening sequences with episode names – for the series Secret Invasion on Disney+ that were created in part with AI tools. Actors have taken legal action over such things – Scarlett Johansson sued OpenAI for creating, or seeming to create, a likeness of her voice for their bot, for example.
Business comms and risk
Employee correspondence can prove highly problematic for businesses and is proving to be considerably damaging in terms of the financial, reputational and compliance and legal costs associated with it.
In 2014, hackers linked to North Korea sent Sony Pictures into chaos, damaging internal systems and publicly releasing embarrassing email messages that led to its co-chair, Amy Pascal, having to step down from her role.
More recently, an incident at Columbia University in which senior administrators engaged in text-message exchanges during an event entitled “Jewish Life on Campus: Past, Present, and Future” that touched on anti-semitic stereotypes led to the staff members being removed from their jobs.
Sufficient security measures that are tested, upgraded, and supported by ongoing employee training can help mitigate the risks.
As a company, Disney runs the gamut of internal business divisions, such as its own movies, streaming services like Disney+ and Hulu, its theme parks, plus cable TV and sports giant ESPN. It is also home to popular franchises, including Marvel and Star Wars.
The public disclosure of a company’s internal messages, code and documents can be highly disruptive, often compromising a business’s confidential and proprietary information, and degrading its privacy and security posture and its stakeholders’ confidence in them. It can lead to financial loss, reputational damage, regulatory fines and litigation risk.
Sufficient security measures that are tested, upgraded, and supported by ongoing employee training can help mitigate the risks. Managing some of these risks is not rocket science – although it’s certainly not easy to ensure compliance from everyone at all times.
Limiting and monitoring employees’ or contractors’ access to information; using the appropriate tech tools to ensure confidential data is not sent over public or unsecured networks; and strict guidelines over and surveillance of communication channels should be a bedrock principle of proper recordkeeping and security assurance at any business.