A security expert has voiced doubts over the Disney hackers’ motives after the group claimed to be targeting companies using AI to undercut content creators and artists.
The entertainment titan confirmed it is investigating what appears to be a major leak after a new hacker group published what they claim is a large tranche of the company’s internal messages online.
The group, which has labeled itself NullBulge, claimed that the 1.1 TB of data it posted on BreachForums is a cache of Disney’s internal Slack archive.
The data, first posted on Thursday 11 July, allegedly includes file attachments as well as the messages from 10,000 internal Slack channels, potentially exposing upcoming projects, code, employee credentials, booking and revenue data from Disneyland Paris., as well as links to internal sites and APIs.
In the group’s posts on the dark web, NullBulge claimed it gained access to the data via a Disney insider, also publishing their personally identifying information (PII), including medical data as well as the credentials stored in the user’s entire password.
Notably, on the group’s website, NullBulge refers to itself as “a hacktivist group protecting artists’ rights and ensuring fair compensation for their work”, claiming it is not financially motivated and picks its targets it only targets companies that have committed one of three ‘sins’.
These include promoting cryptocurrencies or related products and services, publishing AI-generated artwork, and stealing content from supportive artist platforms like Patreon, or artists more generally.
“Our mission is to enact ways to ensure that theft from artists is reduced and to promote a fair and sustainable ecosystem for creators. Our hacks are not those of malice, but those to punish those caught stealing,” the group’s website states.
Experts dubious about Disney hackers’ claimed motivations
Ilia Kolochenko, CEO at ImmuniWeb and adjunct professor at Capital Technology University, said he isn’t convinced the group’s motivations are so noble, suggesting the scale of the attack indicates a larger, financially-motivated organization.
Kolochenko noted that this incident appears to be a “well thought out smokescreen to mask the true identities and real motives” of the group.
“Hacktivists are highly unlikely to run operations of such scale to protect intellectual property and the rights of artists. Moreover, in many jurisdictions, such evidence may be inadmissible in courts and will merely cause embarrassment to Disney if exposed,” he said.
Kolochenko suggested the size of the breach and the type of information involved indicates the attack is more likely to be part of an extortion attempt.
“Given the volume and nature of the reportedly compromised data, it may rather be exploited to blackmail Disney, similar to the notoriously devastating Sony hack. Another plausible reason behind the intrusion is politics and an attempt to censor certain movies, topics or ideas from Disney’s digital content,” he explained.
“This case is a grim reminder for all corporations about the importance of having and invariably enforcing policies relating to data retention, authorized use of Slack, and other corporate messengers, as well as prohibition to discuss certain sensitive topics in potentially insecure environments.”
