+44 (0) 203 189 1422

Cyber-attack Timeline: Disney

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Disney Timline Disney Summary

Download Our Educational Cyber-Attack Timeline: Disney

Disney faced a significant data breach which compromised over 1.1 terabytes of sensitive information from the company's internal Slack channels. The breach exposed private details of Disney Cruise Line crew members and theme park guests, including personal addresses, birth dates, and passport numbers. 
 
The hackers accessed approximately millions of messages, spreadsheets, and PDFs, revealing not only customer data but also internal communications regarding unreleased projects and financial performance. This incident highlights the vulnerabilities even major corporations face in safeguarding sensitive information, particularly through employee-accessible platforms like Slack.
 
Find out exactly what happened and how a giant such as Disney got massively compromised in our Disney Cyber Attack Timeline. 

 

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Disney Attack timeline document and summary.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the Disney Cyber Attack

  • What happened in the Disney cyber attack?

    In July 2024, the hacktivist group NullBulge claimed it had leaked around 1.2 terabytes of data from The Walt Disney Company's internal Slack workspace, said to span almost 10,000 channels and to include messages, files, information on unreleased projects, source code, some login credentials and links to internal APIs and web pages. The group said it gained access through a compromised employee account. A separate, earlier breach of a Disney Confluence server in June 2024 had already exposed about 2.5 GB of internal corporate data. Disney said it was investigating the matter.

  • When did the Disney cyber attack take place?

    The incident unfolded over mid-2024. In early June 2024, a Disney Confluence server was breached and around 2.5 GB of internal corporate data was taken. On 15 July 2024, NullBulge publicly claimed responsibility for leaking roughly 1.2 terabytes of data from Disney's internal Slack, and multiple outlets including CNN reported the leak the same day. Disney confirmed on 15 July 2024 that it was investigating.

  • Who was behind the Disney cyber attack?

    The Slack leak was claimed by NullBulge, a self-described hacktivist group that says it acts to protect artists' rights and fair compensation. In emails to the media, the group claimed to be based out of Russia, although this was not independently verified. NullBulge had been hinting at a large Disney release for several weeks before going public. The earlier June 2024 Confluence breach was attributed to separate actors initially seeking Club Penguin game data. 

  • How did the attackers gain access to Disney's systems?

     According to the group's own account, NullBulge obtained access to Disney's Slack through a compromised employee account - it described gaining entry via a person with Slack access 'who had cookies', suggesting stolen session cookies or credentials rather than a technical exploit of Slack itself. The separate June 2024 Confluence breach was reported to have used previously exposed credentials. Both routes point to compromised human accounts, rather than a software flaw, as the entry point. 

  • What data was leaked in the Disney Slack breach?

    NullBulge claimed to have leaked around 1.2 terabytes of data covering almost 10,000 Slack channels. Reporting indicated the trove included internal messages and files, information on unreleased projects, raw images, computer source code, some login credentials, links to internal APIs and web pages, web push certificates for ABC television stations and assorted design files. Security researchers noted that the data had yet to be fully verified at the time of the leak.

  • Why did NullBulge target Disney?

    NullBulge framed the attack as a protest. The group told reporters it wanted to protect artists' rights and compensation, particularly in the age of artificial intelligence, and said Disney was chosen because of how it handles artist contracts, its approach to AI and what the group called its disregard for consumers. The group said it chose to leak the data rather than make demands, arguing that issuing an ultimatum would simply prompt Disney to lock down its systems. 

  • Was the Club Penguin Confluence breach part of the same incident?

    It was a separate but related event. In early June 2024, individuals reportedly seeking Club Penguin game data breached a Disney Confluence server using previously exposed credentials and walked away with around 2.5 GB of internal corporate data, including material on corporate strategy, advertising plans, Disney+, internal developer tools and infrastructure. This was distinct from the much larger NullBulge Slack leak disclosed in July 2024, though both highlighted weaknesses in account and credential security.

  • Was a ransom demanded or paid in the Disney cyber attack?

    No ransom was reported. Unlike a ransomware attack, NullBulge said it deliberately leaked the data rather than making demands, reasoning that warning Disney first would only let the company lock the attackers out. No ransom demand or payment was identified in reporting, and the incident is best understood as a hacktivist data leak rather than a financially motivated extortion.

  • What is NullBulge, the group behind the Disney leak?

    NullBulge is a hacktivist group that presents itself as protecting artists' rights and opposing certain uses of artificial intelligence. Beyond the Disney leak, it has been linked to the distribution of malicious tools aimed at AI users - including a compromised AI image-generation extension hosted on GitHub - used to harvest credentials and data. The group publicises its activity on its blog and social media, and claimed that its site withstood a DDoS attack of around 9.2 million requests after the Disney leak. 

  • What was the impact of the Disney data leak?

    The leak exposed a large volume of sensitive internal information, raising concerns about unreleased projects, proprietary source code, internal infrastructure details and credentials that could enable further access. Exposed web push certificates for ABC stations and internal API links were particularly sensitive from a security standpoint. While no customer-data or operational impact was reported, the breach posed reputational and intellectual-property risks and underlined the danger of sensitive material accumulating in collaboration tools such as Slack.

  • How did Disney respond to the cyber attack?

    Disney's public response was brief: on 15 July 2024 the company stated that it was investigating the matter. It did not publicly confirm the scope or authenticity of the leaked data at the time. The incident later contributed to wider scrutiny of how large enterprises secure collaboration platforms and manage the volume of sensitive data held within them.

  • What can organisations learn from the Disney cyber attack?

    The Disney incident shows how a single compromised employee account can expose vast amounts of sensitive data held in collaboration tools, and how hacktivists motivated by issues such as AI and artists' rights can inflict serious reputational and intellectual-property damage without any ransom. Key lessons include enforcing multi-factor authentication and session-cookie protections, limiting and monitoring access to platforms like Slack and Confluence, minimising the sensitive data stored in chat, and rehearsing response through tabletop exercises. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.

Download the Disney Data Breach detailed document and timeline today. 

download template