In this incident, a 25-year-old California man, Ryan Kramer (alias NullBulge), tricked Disney employees into downloading malware disguised as an AI image-generation tool. Once installed, the malware harvested credentials and provided Kramer with unauthorized access to Disney’s private Slack channels and internal communications. One employee, Matthew Van Andel, inadvertently granted elevated privileges, enabling Kramer to exfiltrate more than 1.1 terabytes of confidential data. Stolen materials included personal information of employees, unreleased film and TV project files, and other proprietary corporate documents. When Van Andel failed to comply with threats of publication, Kramer posted the sensitive data on the BreachForums hacking site. Authorities say at least two other individuals were similarly compromised, and an ongoing investigation aims to determine the full extent of the breach. The exposure of internal communications and unreleased intellectual property poses serious reputational, legal, and financial risks for Disney, while also potentially undermining competitive positioning and violating privacy regulations.
Source: https://www.scworld.com/brief/california-man-admits-to-disney-cyberattack
TPRM report: https://scoringcyber.rankiteo.com/company/disney-theatrical-group
"id": "dis901050225",
"linkid": "disney-theatrical-group",
"type": "Breach",
"date": "5/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'Entertainment',
'location': 'California, USA',
'name': 'Disney',
'type': 'Corporation'}],
'attack_vector': 'Phishing, Malware',
'data_breach': {'data_exfiltration': '1.1 terabytes of confidential data',
'personally_identifiable_information': 'Employee personal '
'information',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal information',
'Unreleased film and TV project '
'files',
'Proprietary corporate '
'documents']},
'description': 'A 25-year-old California man, Ryan Kramer (alias NullBulge), '
'tricked Disney employees into downloading malware disguised '
'as an AI image-generation tool. Once installed, the malware '
'harvested credentials and provided Kramer with unauthorized '
'access to Disney’s private Slack channels and internal '
'communications. One employee, Matthew Van Andel, '
'inadvertently granted elevated privileges, enabling Kramer to '
'exfiltrate more than 1.1 terabytes of confidential data. '
'Stolen materials included personal information of employees, '
'unreleased film and TV project files, and other proprietary '
'corporate documents. When Van Andel failed to comply with '
'threats of publication, Kramer posted the sensitive data on '
'the BreachForums hacking site. Authorities say at least two '
'other individuals were similarly compromised, and an ongoing '
'investigation aims to determine the full extent of the '
'breach. The exposure of internal communications and '
'unreleased intellectual property poses serious reputational, '
'legal, and financial risks for Disney, while also potentially '
'undermining competitive positioning and violating privacy '
'regulations.',
'impact': {'brand_reputation_impact': 'Serious reputational risks',
'data_compromised': ['Personal information of employees',
'Unreleased film and TV project files',
'Proprietary corporate documents'],
'legal_liabilities': 'Potential legal risks',
'systems_affected': ['Slack channels', 'Internal communications']},
'initial_access_broker': {'entry_point': 'Phishing email with malware '
'disguised as AI tool'},
'investigation_status': 'Ongoing',
'motivation': 'Data exfiltration, Financial gain, Public disclosure',
'post_incident_analysis': {'root_causes': 'Human error, Credential '
'harvesting'},
'threat_actor': 'Ryan Kramer (alias NullBulge)',
'title': 'Disney Data Breach via Malware Disguised as AI Tool',
'type': 'Data Breach',
'vulnerability_exploited': 'Human error, Credential harvesting'}