Disney Employees AI Tool Download Sparks Major Data Leak and Controversy

In February of the previous year, Disney employee Matthew van Andel downloaded free AI-based image generation software from GitHub onto his work laptop. However, the AI tool turned out to be a malicious program that granted a hacker access to all of van Andel’s data.

The attacker infiltrated 1Password, which van Andel used to store his passwords, enabling them to view messages from Disney’s work channels on Slack. Van Andel discovered the issue in mid-July, when a stranger on Discord sent him a message containing a link to a work conversation in Slack.

He reported the situation to the company’s information security department, which confirmed that his Slack account had been compromised. However, the experts did not find anything suspicious on his work laptop and suggested checking his personal devices instead.

Antivirus software eventually detected the malware, which had allowed the hacker to monitor van Andel’s activities and several Disney departments for five months. Later that month, the hacker, known as Nullbulge, published an archive containing over 1 TB of internal company data, including employee communications, source code, images, and details about unreleased projects. The attack also impacted the Roblox accounts of van Andel’s children.

Although many accounts were protected by two-factor authentication (2FA), for van Andel, the second authentication step was 1Password. He later realized that his 1Password account was not secured with 2FA.

In August, van Andel was dismissed following the results of the investigation into his laptop. The reason cited was allegedly accessing pornography, a claim he denies. Disney terminated his employment insurance, resulting in a loss of around $200,000 in bonuses. In December, van Andel’s attorney sent a letter to his former employer demanding an eight-figure compensation for lost wages and emotional distress.

Last fall, Disney announced its intention to discontinue using Slack, with reports stating that the company had already begun transitioning to new «optimized enterprise collaboration tools.»