In 2024, Disney faced two significant cyberattacks: one stemming from an ex-employee’s sabotage and another involving an AI-driven malicious hack, which led to the exposure of internal vulnerabilities and the theft of 1.1TB of sensitive data.
The Walt Disney Company has recently experienced targeted cyberattacks targeting its infrastructure, with the incidents linked to disgruntled former employees and external threats. Both events underscore a concerning trend in cyber vulnerabilities, featuring activities ranging from digital sabotage to extensive data breaches.
Michael Scheuer, Former Disney Employee
One notable incident involved Michael Scheuer, previously a menu production manager at Walt Disney World. Following his termination for misconduct in June 2024, Scheuer orchestrated a digital sabotage campaign against Disney. He unlawfully accessed the company’s internal menu system, introducing detrimental changes that could have severely endangered patrons.
Among his alterations, he misclassified food items that contained peanuts as “peanut-free,” a potentially life-threatening error for individuals with allergies. Additionally, his VPN IP address matched the one used during his employment, raising suspicions regarding access controls post-termination.
Aside from food labeling, Scheuer tampered with wine region labels associated with recent mass shootings, altered prices, included offensive language, and replaced QR codes with links to activist websites related to the ongoing conflict in Gaza. He even changed the system’s font to Wingdings, rendering it practically unusable. Disney managed to identify these changes prior to their impact on customers.
Furthermore, Scheuer deployed a bot designed to conduct repeated login attempts on at least 14 employee accounts, effectively locking them out. A folder on his computer contained personally identifiable information (PII) of various targets, suggesting possible intent to intimidate or harass them. After being arrested in October 2024, Scheuer pleaded guilty and was sentenced to three years in prison along with approximately $688,000 in restitution.
Malware-Laden AI Image Generator: NullBulge
In a separate incident, Ryan Mitchell Kramer, a 25-year-old Californian operating under the alias NullBulge, pleaded guilty to charges involving unauthorized access to a Disney employee’s computer and the threat to damage protected systems. This breach was executed through a malicious AI image generation extension that Kramer released on GitHub in April 2024.
The deceptive extension, entitled ComfyUI_LLMVISION, siphoned passwords and payment information, forwarding it to a Discord server controlled by Kramer. The embedded files were cleverly named after major AI companies like OpenAI and Anthropic, allowing him to gain access to restricted channels within Disney’s internal communication platform, finally amassing 1.1 terabytes of confidential data.
As part of his ruse as a hacktivist, Kramer publicly disclosed the stolen information when he received no interaction from Disney regarding his illegal activities. Court filings revealed that at least two additional individuals unwittingly installed Kramer’s malware, further compromising their systems and data. He is expected to face court proceedings in the coming weeks.
The repercussions of these cyber incidents are extensive, posing risks including consumer safety, reputational harm, and significant data compromise. This illustrates an urgent need for enhanced cybersecurity strategies, incorporating robust access control measures, continuous network activity monitoring, and comprehensive employee training to thwart social engineering attempts. By referencing the MITRE ATT&CK framework, organizations can better understand potential adversarial tactics and develop proactive defenses against such threats.
