The Download That Led to a Massive Hack at Disney
22:10 Share

Where does this story start? So, I'm not quite sure. So, you know, I didn't even realize it was that long ago at first until after the FBI had visited and I told them I would put together like a detailed timeline for them. This is Dutch Van Andel. Up until last year, he lived a pretty ordinary life. He's a software engineering manager, married with two kids, and lives in the suburbs of Los Angeles.

But last year, something happened that turned his ordinary life upside down. It started when Dutch downloaded a seemingly innocuous program onto his personal computer. It was an AI software called Vision LLM, and it could generate images. He wanted something his sons could play with. Like generate pictures of Easter buddies and Roblox people and, you know, stuff like that.

He didn't know it at the time, but the program had a malicious code in it. A code that gave a hacker access to Dutch's computer. And over a period of months, that hacker stole all of Dutch's personal information, like his bank accounts and passwords. They're getting into things they shouldn't have because they've got my social security number, they've got my birth date, they've got my email address. You can just make a phone call and pretend to be me because you have this information. It was a nightmare. ♪

And it wasn't just his personal life that was hacked. Through Dutch, the hacker also got inside his employer, Disney. Disney has apparently been hit by a cyber attack. The hacking group Noble says it leaked thousands of internal Disney messages. While Dutch's story is unusual, his life online wasn't. And what happened to him could happen to almost anyone. These people, they may not be targeting you, but just because...

you work for somebody that they find interesting, they will destroy you to get at it. Welcome to The Journal, our show about money, business, and power. I'm Ryan Knudson. It's Monday, March 17th. Coming up on the show, what it feels like to be at the center of a major hack on one of the world's largest companies.

This episode of The Journal is brought to you by HubSpot. It takes a lot to grow your business. You've got to attract audiences, score leads, manage all the channels. But with Breeze, HubSpot's new AI tools, it's never been easier to be a marketer and crush your goals fast. Which means pretty soon, your company will have a lot to celebrate, like 110% more leads in just 12 months. Visit HubSpot.com slash marketers to learn more.

Support comes from ServiceNow. We're for people doing the fulfilling work they actually want to do. That's why this ad was written and read by a real person, and not AI. You know what people don't want to do? Boring, busy work. Now with AI agents built into the ServiceNow platform, you can automate millions of repetitive tasks in every corner of your business, IT, HR, and more, so your people can focus on the work that they want to do. That's putting AI agents to work for people.

It's your turn. Visit servicenow.com. That is one impressive mustache. Thank you. Dutch's mustache is long, straight, and points directly out to the sides. Started with just curling the corners with some wax, and I wanted to make a loop. But it turns out, every time it gets hot, my hair is stubborn, and that loop turns into a hoop. So I just started keeping it straight instead.

Dutch is 43, and his real name is Matthew. I tend to go by Dutch because there's just too many Mats everywhere you go. Right. I was the Dutch Mat, and then it just became Dutch. The Dutch? Are you Dutch? Yeah, yeah. It's, well, you know, family name, Van Andel. Grandparents were Dutch, so I'm like third generation, something like that. The first sign that Dutch's life was about to be turned upside down happened last spring. So in May...

Other weird things happened too. Like, his computer slowed down to the point where he couldn't even use it. And then he got a suspicious login notification to his work account that he didn't recognize.

But July is when he knew something was really up. That's when he got a message on Discord, a platform popular with gamers. And there's this suspicious direct message. The person's like, Frank something something. And ordinarily, I just delete unsolicited direct messages from strangers. But this one was really long.

The thing that caught his attention was that the message included details from a conversation he'd had on his work Slack account. It was a chat about his lunch. I think there is no way they should have this. There's no way they should have that Slack conversation. Slack was Disney's internal messaging platform at the time. And it's supposed to be private. No one outside the company should have been able to see those messages.

The only way they have that Slack conversation is somehow my work computer is compromised. So immediately, I close the work computer. Dutch came to the conclusion that he'd been hacked. He got in touch with Disney's information security team, or InfoSec. It responds to the company's IT emergencies. And I say, hey, I got this thing. It sounds like an extortion message. And they have a thing in there from Slack that they should not have access to it.

Dutch says InfoSec looked into it and said his work laptop looked fine and that he should check his personal computer. So Dutch ran an antivirus program. And immediately it picks up this file, Vision LLM, in my downloads and says, oh, Trojan detected. So I'm like, Vision LLM, what is that? I can barely remember it.

Vision LLM, that AI plugin Dutch had downloaded so that his kids could generate images of Easter bunnies and Roblox characters, that program had a hidden virus. So I look it up and I find this Reddit thread where somebody's like, this is malware, it steals all your passwords. If you downloaded this, change all of your passwords immediately, like right now that somebody has your passwords. So I let InfoSec know, I'm like, you know, I think they maybe got into my PC program.

Dutch said that Disney's InfoSec agreed, and they told him that a hacker had also gotten into Disney's systems, and they were downloading massive amounts of data. And that's where it starts setting in, like, this panic. You know, I'm still not sure, like, how they had gotten to the Disney systems. So, like, you know, we're trying to work through. It's like, well, how could they get past, like, the two-factor authentication?

While Dutch was on the phone with Infosec, he also had his email account open. And he noticed a spammy-looking message show up in his inbox. He deleted it. But then he got another one right away. And this one is exactly the same as the Discord. So they're definitely trying to get a hold of me, you know? And the timing is also weird. Like, it's like...

Why am I getting this now while I'm like here in my email? Like, are they watching me somehow? Yes. And I like kind of panic and I like hit the trash button. And then they send a third email saying, we saw what you did. Oh, my God. That's where things start to get bad. You know, they're watching you.

In that third email, the hacker also sent a threat. It said, "respond, do what we want, or end up on the net." They're not just in Slack. They're in my email. That means they're probably in my Discord. And I'm thinking, how? How is this possible? It doesn't take long for me to figure out, maybe just a few seconds, they're in my 1Password. It is the only way. 1Password is a password manager.

It's considered a way to protect your digital life. And it's often recommended by security experts as a way to make sure you don't get hacked. The hacker was able to get into Dutch's 1Password account because Dutch didn't have two-factor authentication turned on. That's those codes that get pushed to your phone to make sure it's really you.

Getting access to his 1Password account was bad. Because not only did Dutch store all of his passwords there, he also stored personal information like birth certificates and social security numbers. Information that Dutch had been accumulating for a decade. And not only that, Dutch also used 1Password for two-factor authentication codes

meaning that by accessing his 1Password account, the hacker got Dutch's passwords and his two-factor codes. It was like they had the ultimate master key to Dutch's entire digital life. And I tell InfoSec, oh my God, I think they got my 1Password. They have to have my two-factor codes. This is the only way they could get into this stuff. So at that point, you know, they're like, okay, well, you need to work on securing your personal stuff.

Once he realized this, Dutch had a lot of work to do. So the game plan, like immediately I'm like, how do I, how do I get them out? And they have threatened to retaliate. So I think, okay, I need to secure our financial accounts first. Secure bank accounts and all financials, secure social media, secure medical, secure all this like sensitive personal stuff as much as I, as fast as I could.

Right now. And did you like buy a new computer to do all this stuff? Because they're in your computer, right? They're on my gaming PC, yes. I've already determined that like my wife's MacBook is fine. So I'm working on that. I'm working on her MacBook. So first I secure those accounts as quickly as I can. Change the passwords and all that. Yeah. And we just start erasing everything. We're reformatting computers. I just go straight through the night.

Dutch said he got a call from Disney's InfoSec team the next morning. And they told him that the hacker had doxed him and his family. Meaning they followed through on their threat to put Dutch's information online. All of his personal information, his passwords, his family's birth certificates, everything, was now available for anyone to see. Accounts are now actively hijacked. Like, people are getting into them, they're sabotaging them, they're, you know, changing passwords and...

Meanwhile, at his employer, Disney, they were having problems with the hacker too.

And Dutch's nightmare was about to get a lot worse. That's next.

See Mint Mobile for details.

This episode is brought to you by Polestar. Electric performance is at the core of every choice that went into the all-electric Polestar 3. Like merging a spacious interior with the torque and handling of a sports car, or the ability to go from 0 to 60 in as little as 4.8 seconds, and get an EPA-estimated range of up to 315 miles per charge.

Choices like this all lead to making your decision to choose Polestar 3 obvious. Book your test drive today at Polestar.com. The same morning that a hacker made all of Dutch's personal information public, they also released massive amounts of Disney data online. Troves of confidential information, including things like passport numbers for cruise workers and sales of theme park passes and streaming data.

Disney is investigating a July data leak of its internal Slack channels. Hacktivist group called Null Bulge has come out saying it has leaked more than one terabytes of information from Disney's Slack.

That one terabyte of Disney data included more than 44 million Slack messages, 18,000 spreadsheets, and 13,000 PDFs. And the hacker got it all through Dutch. Saying it gained access through a Slack user who had cookies. Disney says it's investigating the matter. The Wall Street Journal was the first news outlet to report the contents of what the hacker released.

The stolen information gave a rare look inside the inner workings of a big company. There were discussions of ad campaigns, studio technology, and information about unreleased projects. There was even revenue data about each of Disney's streaming services, which had never been made public before. In a regulatory filing last summer, Disney said it was investigating the incident, but that it wasn't expected to have a material impact on its operations or financial performance.

Among the things that the hacker put out there in the data dump was also a claim that Dutch was in on it. And then I start getting messages from press. The media is starting to reach out to me. You know, people are messaging me on LinkedIn and saying, why did you hack your employer? Because you can trust something that a hacker says on their website as they dox that person. Dutch says that he was not part of the hack.

So a week goes by. Again, I'm fending people off still. People are just actively, day and night, nonstop trying to get into things. I'm still having panic attacks every time my phone makes a sound. You know, like, you get the notifications as people are trying to get in. Like, ding, ding, ding, ding, ding, ding. Eventually, after Dutch finished changing all of his passwords, things started to calm down, and he tried to get back to his job.

you know i'm like okay maybe maybe i should see if i can start doing a little bit of work again and i get this call and it's from a disney area code so i pick it up and uh you know they introduce themselves from like disney hr and they're like how are how are you doing dutch and i go well you know i'm surviving and they go well the reason we called

You know, during the investigation of your computer, we discovered that you had accessed pornographic content. And I'm like, I'm completely at a loss. I'm thinking, well, I guess they must have called the wrong person. And I'm like, no, I'm the one that was hacked. And I go, well, we determined that this has nothing to do with that person.

And I'm like, well, it's, but that's not true. And they go, well, because you access pornographic content on a company computer, you're being terminated effective immediately. I don't remember much after that. Dutch denies ever viewing pornography on his work computer. In a statement, a Disney spokesperson said his denial is, quote, firmly refuted by the company's review of his company-issued device.

After you found out that you had been fired, like, what were you feeling? Felt like my life was over. Everything I had built, everything I had worked for, my relationships, projects, reputation, it's all gone. I thought I was going to retire there. You know, I never thought when I started working there that I would work for a big company. But Disney is one of the few companies I actually felt kind of good about.

Dutch said losing his job felt worse than getting hacked and doxxed. You know, this whole week, I had been surviving on the support of all these people at Disney, calling me, checking in, reaching out, making sure I'm okay, saying, look, this could happen to anybody. Don't beat yourself up over it. It's not your fault, you know? And then this. Up until that point, did it feel like they had your back? It did. I thought they did.

I thought they supported me. I thought they were going to protect me. And my support network is gone. Again, you know, I've been there for a long time. You spend more time with those people than you do with your own family. Your co-workers, yeah. Yes. I considered many of them genuine friends. Dutch ended up finding another tech job in December. And he says he's been in touch with the FBI about the hack. Still, he felt burned by Disney.

It's like my identity was tied up there and it was just taken away. You know, I don't know. It just feels like I'm in my 40s. You know, I'm not getting any younger, but my career has been thrown way, way, way back. And there's no catching up. There's no getting it back.

So he decided to sue. In February, he filed a wrongful termination lawsuit against Disney, alleging slander and whistleblower retaliation for speaking out against the company's cybersecurity standards. Disney did not comment on the lawsuit. I always thought that I had a good security posture. Obviously, little oversights are all it takes.

I want to say hackers are getting sophisticated, but it's not even a matter of sophistication. It's just they can throw very wide nets, very unsophisticated wide nets and just have patience. I didn't think about this computer being anything other than a toy. I always figured if you get some malware on there, reformat Windows. Just maybe lose some games, reinstall them.

You know, what's the worst that could possibly happen on there? That's all for today, Monday, March 17th. The Journal is a co-production of Spotify and The Wall Street Journal. Additional reporting in this episode by Bob McMillan, Sarah Krause, and Robbie Whelan. Thanks for listening. See you tomorrow.