disney cruise ship at night

Disney’s Data Disaster: Hackers Expose Magic Kingdom’s Secrets

House of Mouse Faces Legal Battle Over Massive Data Breach

The entertainment giant Disney is facing a class action lawsuit over a massive data breach that has exposed sensitive information of thousands of current and former employees.

The breach, which occurred in July 2024, has raised alarm bells in the tech industry and raised serious questions about Disney’s data security practices.

The Hack Heard ‘Round the World

NullBulge Strikes the Magic Kingdom

A hacker group calling themselves “NullBulge” infiltrated Disney’s internal Slack messaging system, gaining access to over 1 terabyte of sensitive data.

The breach exposed a treasure trove of information, including:

  • 44 million internal Slack messages
  • 18,800 spreadsheets
  • 13,000 PDF files

From Passports to Profits: What Was Exposed

The leaked data contains a wide range of sensitive information, including:

  • Passport numbers and visa details for Disney Cruise Line workers
  • Current work assignments of cruise employees
  • Names and contact info for some Disney Cruise Line passengers
  • Names and contact details for some Disneyland restaurant reservation holders
  • Login credentials for some of Disney’s cloud infrastructure

Financial Secrets Unveiled

Disney+ Streaming Success

Internal documents revealed that Disney+ generated over $2.4 billion in revenue in Q2 2024, accounting for about 43% of the company’s direct-to-consumer entertainment business revenue.

Genie+ Generates Magic Profits

The leaked data showed that Disney’s Genie+ theme park pass brought in over $724 million in revenue at Disney World between October 2021 and June 2024.

The Legal Battle Begins

Class Action Lawsuit Filed

A former Disney employee has filed a data breach class action lawsuit against the company, accusing Disney of:

  • Negligence
  • Breach of implied contract
  • Violation of California’s Customer Records Act
  • Violation of California’s Confidentiality of Medical Information Act
  • Unfair business practices

Delayed Notice Raises Concerns

The lawsuit alleges that Disney failed to promptly notify affected individuals about the breach. One of the more interesting quotes from the class action complaint against Disney is:

“Representative Plaintiff(s) and Class Members have yet to receive a letter from Defendant, stating that their PHI/PII and/or financial information has been involved in the Data Breach. Representative Plaintiff(s) and Class Members became aware of the Data Breach through articles.” ¶ 16

The complaint highlights that Disney allegedly failed to promptly notify affected individuals about the data breach, leaving them to learn about it from news reports rather than directly from the company.

Many victims, including the plaintiff, only learned about the incident from news reports in September 2024, months after the data breach occurred.

This lack of communication from Disney regarding such a significant breach of sensitive personal data is particularly concerning.

Children’s Private Information Allegedly Disclosed

The class action further alleges that the hackers obtained the personal and private information of children:

“cybercriminals infiltrated Defendants’ inadequately protected network servers and accessed highly sensitive PHI/PII belonging to both adults and children, which was being kept unprotected.” ¶ 2.

The inclusion of children’s data clearly heightens the seriousness of the data breach.​

The Hacker’s Motive: More Than Just Money?

NullBulge claims to be advocating for artist rights and protesting Disney’s “approach to AI” and “pretty blatant disregard for the consumer.”

However, some security researchers believe the hack may be the work of a lone individual based in the U.S.

Data Security at Disney

As the legal battle unfolds, all eyes are on Disney to see how they will respond to this massive breach. Will the company implement stronger data protection measures? Only time will tell if the magic of Disney can overcome this digital disaster.

Protecting Your Rights

What to Do If You’re Affected

If you’re a current or former Disney employee, or a Disney Cruise Line passenger, here are some steps you should consider:

  1. Monitor your financial accounts and credit reports closely
  2. Consider placing a fraud alert or credit freeze on your accounts
  3. Be wary of phishing attempts using the stolen information
  4. Consult with an attorney about your legal rights

Free Legal Consultation

Disney Privacy Consultation

Name(Required)
Address
Did you receive a Disney data breach notification letter?(Required)
Are you a current or former employee of Disney or Disney Cruise Lines?(Required)