A Disney Worker, an AI Tool and the Hack That Ruined His Life
12:00 Share

To realize the future America needs, we understand what's needed from us. To face each threat head on. We've earned our place in the fight for our nation's future. We are Marines. We were made for this. Welcome to Tech News Briefing. It's Wednesday, March 5th. I'm Charlotte Gartenberg for The Wall Street Journal. It's a bit of a nightmare scenario. You download an artificial intelligence tool to make your workflow easier. But instead, you get hacked.

And what's worse, the hacker accesses all of your personal data and gets access to your employer. This nightmare scenario recently became a reality for one Disney employee. WSJ reporter Robert McMillan tells us what exactly happened and what steps you can take to make it harder for the hackers if they slide into your digital life.

Bob, our listeners might remember hearing about the hack that hit Disney last July. WSJ reported that a hacking entity stole and leaked online more than a terabyte of company data. This included more than 44 million messages from Disney's Slack workplace communications tool. You recently profiled Matthew Van Andel, the Disney employee who downloaded the AI tool that led to the hack.

What can you tell us about him? A lot of people call him Dutch. That's his nickname. And he was a sort of mid-level technology manager at Disney.

a very earnest guy who was interested in the field of artificial intelligence and how it might apply to his work and decided to learn some stuff. Many of us do things like this. We'll try and experiment with new technologies. It's very easy to load a plug-in onto your phone or onto your computer. There's just like a world of interesting technology, especially in the AI space right now. It's just blowing up. So there's all kinds of new stuff and staying on the cutting edge of that is pretty important to do.

people who work in technology. How did the hack happen? It happened on GitHub, which is a website owned by Microsoft and is very, very popular with software developers, including people who are

dabbling in the AI world. It's sort of a social network for coders, and you can just establish your identity by posting software to it. And the hacker had created a plugin for an AI tool, so some software that helped make an AI tool called Comfy UI a little bit easier to use. And the

unbeknownst to everyone using it, it was what we call a Trojan horse. It was software that looks like one thing but actually ends up being malicious. Once Dutch had downloaded this to his personal computer, it gave access to this one password cache and other information on his personal computer that led to the hack. One day in July last year, he basically got a message from somebody he didn't know

who made a reference to a lunch he had had just the day before. And he knew very specific details about this work lunch. There's no way this person could have known that. It wasn't something that he posted on the internet about. And so he started to really wonder what was going on. And then as he thought back, there'd been some weird things that had happened. Financial fraud related to his credit cards and other online accounts over the past few months. And he started to wonder if maybe he had been hacked.

So what was the personal impact for him? It was a nightmare. This guy was extremely online, right? He's a technology person. And so he had like hundreds of online accounts. And what he found out eventually was that

The hacker had not only stolen his identity, committed identity theft, had logged into his work Slack account and downloaded data from there, but he had also downloaded this person's digital life basically and then posted it to the internet.

The hacker got into this piece of software called 1Password, which is a password manager. It's something you use to simplify the process of logging into the hundreds of websites we all log into. So you had all this sensitive information stored in 1Password that the hacker also accessed and also dumped online. So it was like a particularly sensitive

devastating hack for him. Van Andel realized that his one password account wasn't protected by a second factor. It required just a username and a password. And he hadn't taken the extra step of turning on two factor authentication. A one password spokesman said, once someone has a key logging Trojan program on his or her computer, an attacker has nearly unrestricted access.

So the hacker gained access to Van Andel's employer, Disney. What happened? So he got access to Disney's Slack. It's a collaboration tool that people use to chat with each other while they're working. And sensitive information had been uploaded to Slack. The hacker downloaded a terabyte of Slack messages from Disney. And that included theme park and streaming revenue. There was private information about customers and employees.

And it was just generally an embarrassing thing to have dumped in public for Disney. And what has Disney said about the impact of the hack? About a month after the hack, Disney said that they were investigating and they didn't expect it to have material impact on its operations. And we should note, Disney told employees after the hack that it planned to move away from Slack in an effort to streamline its collaboration tools. And so what has since happened to Van Andel?

So eventually he handed in his laptop for a forensic analysis. It turned out that the hacker didn't get onto his corporate laptop. But when Disney looked at it, they claimed that he accessed inappropriate websites, pornographic websites on the work device, a claim that Mr. Van Andel denies. And they fired him. Coming up, what can you do to avoid this kind of cybersecurity nightmare? More on shoring up your own defenses after the break.

I'm ready for my life to change. ABC Sunday, American Idol returns. Give it your all, good luck, come out with a golden ticket. Let's hear it. This is a man's world. I've never seen anything like it. And a new chapter begins. We're going to Hollywood. Carrie Underwood joins Lionel Richie, Luke Bryan, and Ryan Seacrest on American Idol. Season premieres Sunday, 8, 7 central on ABC and stream on Hulu.

Okay, I want to widen our lens here. Is hacking getting more prevalent or harder to protect against lately?

It's always been hard to predict against. I've been covering cybersecurity for close to 20 years now, and there have always been problems. I think of cybersecurity as a problem that's like water kind of flowing downhill. You might dam it up at one place, but it'll just go around that, and it'll sort of inevitably be the hackers want to get on our computers, and they will find a way because there's a very unfair equation, which is that

They can be wrong as many times as they like in their attempt to get onto our computers, but we can only be wrong one time. If we make one mistake, then it can be game over.

So a lot of people that I talk to in the cybersecurity world really feel that any determined hacker can get you no matter what. But if you make yourself as secure as possible, if you take some basic steps around cybersecurity, you can make yourself not the easiest target to hit. Okay, so there's no penicillin answer there.

do this and you won't be hacked. Penicillin is a great actual metaphor because, you know, it was a miracle at first and now it's becoming less and less effective, right? So what happens in cybersecurity is you get advice about what to do. People have been asking me if a VPN would have helped Dutch in this case. And VPNs were actually something that was useful

10 or 15 years ago, but their usefulness has eroded over time. It's basically a way of connecting to the internet that essentially it's more secure. But the way we use the web anyway has become a lot more secure in the last 10 years. So it's not as important as it used to be. All right. There's no penicillin for this. So what are some things that I can do to try to protect myself a bit better, make myself a

let's say, less easy target. We talked to the FBI for this story, and they had one piece of advice that is pretty simple to follow and could really help you out. And basically what they said was, look, many people have hundreds of sites they log into, but there are some sites that are really sensitive, that you really don't want anyone to get into, like your work Slack, for example, or your financial sites, right? Right.

So when you're logging into these sites, there's often a window that appears that says, remember me or keep track of who I am or something like that. Or like a little checkbox, right? It's a little checkbox. Yeah, I see it on my banking sites all the time. And they say, don't click that.

Because if you click that, you basically create a file on your computer that allows anyone to log into that website. And if you don't click that, then that file doesn't get created. And that's one less thing that the hackers can steal and ruin your life with. Is there anything else I can do? Your important accounts should be protected with two-factor authentication. And I recommend using SongPay.

software like Authenticator that runs on your phone and generates a code as the second factor. You can also get text messages for websites, but there is a hack called SIM swapping that if it's around a financial site,

it can be really devastating to you. So it's better to use the codes on your phone than to get a text message as your second factor of authentication. But anyway, if you have accounts, if you're a high net worth individual and you have accounts that you're really worried about getting hacked,

Have one computer, like a Chromebook, you know, that these don't even have to cost very much money. Have one computer that you just use for your banking and don't download plugins to it and don't go to weird websites. Just have this be like, I'm only going to the bank. And that actually makes sense for some people. Robert McMillan is a reporter for The Wall Street Journal.

And that's it for Tech News Briefing. Today's show was produced by Jess Jupiter with supervising producer Catherine Millsop. I'm Charlotte Gartenberg for The Wall Street Journal. We'll be back this afternoon with TNB Tech Minute. Thanks for listening.