Case Study: The Disney Leak and the Cost of Lax Device Security

Introduction

This is a short case study of the 2024 Disney Slack leak linked to the threat actor name “NullBulge.” It covers what happened, how the attackers got in through a single employee’s computer, what they did after gaining access, and the outcome. It then shifts into practical lessons your organization can apply using basic device controls and access controls.

What Happened

In mid-2024, Disney was hit by a major data leak tied to internal Slack content. Public reporting described a very large release of internal messages and files, posted online under the name “NullBulge.” The leak included internal conversations and shared content across many Slack channels.

How the Attack Happened

The breach reportedly began when a Disney employee installed an “AI image generation” tool that was actually infostealer malware. Reporting later described it as capable of credential theft, including a keylogging-style compromise that allowed the attacker to capture access to the employee’s password vault and active sessions.

After the attacker gained access to the employee’s computer, they followed a familiar hacker playbook: use the stolen credentials and sessions to access internal systems, reach Disney’s Slack environment, and exfiltrate large volumes of messages and files. Reporting also described threats and extortion pressure, followed by the public release of the data when those threats did not work.

Outcome and Liability

The U.S. Department of Justice later announced that Ryan Mitchell Kramer agreed to plead guilty to charges connected to the Disney Slack breach. Even though he was charged and agreed to plead guilty, it did not diminish the actual and implicit costs of the breach.

A note on "cost"

The cost of the breach was never publicly announced. However, Disney suffered real costs as a result of this breach. Reuters reported Disney planned to transition away from Slack after the leak, which implies time and spend for tool migration, change management, and operational disruption across teams. On top of that are the typical breach follow-on costs that do not always show up as a single disclosed number: internal investigation and remediation work, outside incident response and legal support, and additional security hardening to prevent a repeat. Disney’s FY2024 annual filing also states it did not identify cybersecurity threats that materially affected or were reasonably likely to materially affect its business or financial condition, which helps explain why a specific “total cost” figure was not reported publicly.

Want to read more?

For continued reporting and official updates, start with these sources:

• Reuters (Sep 19, 2024): Disney to stop using Slack after hack exposed company data
• The Wall Street Journal (Feb 26, 2025): A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life
• WIRED (Jul 15, 2024): Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages
• U.S. Department of Justice (May 1, 2025): Santa Clarita Man Agrees to Plead Guilty to Hacking Disney Employee’s Computer

Lessons Learned You Can Apply

To reduce the chance of a “one user device” incident turning into a companywide data exposure, focus on implementing security changes in these two areas: device controls and access controls.

Device Controls

• Remove Local Admin Rights: Most employees should not be able to install software. This blocks many malware-based attacks before they start.
• Enforce Application Controls: Block unapproved installers and scripts. Allow business-approved applications only.
• Deploy Managed Device Security: Use managed endpoint protection and monitoring (EDR) so malware activity is detected quickly and escalated to someone who will respond.
• Regularly Update Systems: Keep operating systems and third-party applications patched. Many attacks succeed because devices are behind on updates.

Access Controls

• Enforce MFA Everywhere: Require MFA for email, Microsoft 365, remote access, and any admin tools. Do not allow exceptions.
• Check Sign-In Logs: Review sign-in activity for abnormal access patterns such as impossible travel, new countries, repeated failures, or suspicious devices.
• Limit Employee Access: Give each employee access only to the files, apps, and systems they actually need to do their job (i.e. least privilege). If one account is compromised, the attacker can only reach a limited set of files and systems instead of everything.
• Separate Admin Accounts: Use dedicated admin accounts for administrative work, not day-to-day email and browsing. Restrict and monitor those accounts more heavily.
• Write Down Emergency Procedures: Document a fast-response process to disable accounts, revoke sessions, reset credentials, and isolate devices when activity looks suspicious.

Next Steps

If you want a quick reality check on whether your organization is protected against the “untrusted install” scenario, start by reviewing who has admin rights, what software can be installed, and whether you can detect and respond to suspicious sign-ins quickly.