A former Disney employee's world was turned upside down when he downloaded an artificial intelligence-powered photo program, unaware that it was laced with hacking software, during a massive data breach at the entertainment giant.
In July, Matthew Van Andel, an engineer at Disney at the time, got a message on the chat forum Discord from an unknown account, which seemed to know personal, granular details that would only be possible if the individual had access to his workplace Slack chat program.
The hackers said if Van Andel, who alerted Disney to the seeming breach, didn’t comply with their demands, they would release troves of his personal information online.
As the engineer raced to reset his various passwords, the hackers followed through on their threat, releasing information including his Social Security number, his login credentials to Disney systems, and even dumping info on his children’s Roblox accounts.
“It’s impossible to convey the sense of violation,” Van Andel, 42, of La Crescenta, California, told The Wall Street Journal on Wednesday.
After the hack, Van Andel says he didn’t eat or sleep and began having panic attacks. Strangers left him unnerving voicemails, and pranksters vandalized his social media accounts.
The engineer also lost his job at Disney, after a forensic analysis of his work-issued computer found he had accessed pornography, which he denies.
The hack on Van Andel was part of a larger breach of Disney’s Slack accounts, where an entity calling itself Nullbulge shared upwards of a terabyte of private information including employee data, computer code, details about unreleased projects, and specifications about Disney technologies and ad campaigns.
Nullbulge, claiming to be a hacktivist collective, told reporters at the time it carried out the attack “due to how [Disney] handles artist contracts, its approach to AI, and its pretty blatant disregard for the consumer.”
Security researchers believe Nullbulge may be a single American individual who used a class of malware called an infostealer, which embeds malicious code in software downloads, to carry out the cyberattack.
Van Andel’s family members also say they doubt the claim the hack was motivated by an ideological grievance against Disney.
“They initially started stealing a lot of credit card data and banking information — the normal things,” Van Andel’s sister Christa Maier told the Los Angeles Post last year. “But then they realized where he worked and they were like, ‘We can have some additional fun with this.’”
They praised him for working with Disney and authorities to investigate the incident.
“When the hacker made their presence known and tried to extort our brother for additional information, he instead went directly to the authorities and put himself, his family and his reputation at risk to protect his employer,” they write on a GoFundMe page. “The hacker retaliated over his unwillingness to comply by publicly releasing personal information and attempting to make an example of him so that the next victim would comply with their sadistic demands.”
Van Andel, who sought a payout from Disney last year due to lost wages and emotional distress, said the hack is still causing people to attempt to access his private accounts.
