The Download That Led to a Massive Hack at Disney

Where does this story start? So, I'm not quite sure. So, you know, I didn't even realize it was that long ago at first until after the FBI had visited and I told them I would put together like a detailed timeline for them.
This is Dutch Van Andel. Up until last year, he lived a pretty ordinary life.
He's a software engineering manager, married with two kids, and lives in the suburbs of Los Angeles. But last year, something happened that turned his ordinary life upside down.
It started when Dutch downloaded a seemingly innocuous program onto his personal computer. It was an AI software called Vision LLM, and it could generate images.
He wanted something his sons could play with. Like generate pictures of Easter buddies and Roblox people and, you know, stuff like that.
He didn't know it at the time, but the program had a malicious code in it. A code that gave a hacker access to Dutch's computer.
And over a period of months, that hacker stole all of Dutch's personal information, like his bank accounts and passwords. They're getting into things they shouldn't have because they've got my social security number, they've got my birth date, they've got my email address.
You can just make a phone call and pretend to be me because you have this information. It was a nightmare.
And it wasn't just his personal life that was hacked. Through Dutch, the hacker also got inside his employer, Disney.
Disney has apparently been hit by a cyber attack. The hacking group Noble says it leaked thousands of internal Disney messages.
While Dutch's story is unusual, his life online wasn't. And what happened to him could happen to almost anyone.
These people, they may not be targeting you, but just because you work for somebody that they find interesting, they will destroy you to get at it.

Welcome to The Journal,

our show about money, business, and power.

I'm Ryan Knudsen.

It's Monday, March 17th.

Coming up on the show,

what it feels like to be at the center of a major hack

on one of the world's largest companies. Business taxes.
We're stressing about all the time and all the money you spent on your taxes. This is my bill? Now Business Taxes is a TurboTax small business expert who does your taxes for you and offers year-round advice at no additional cost so you can keep more money in your business.
Now this is taxes. Intuit TurboTax.
Get an expert now on TurboTax.com slash business. Only available with TurboTax Live full service.
that is one impressive mustache. Thank you.
Dutch's mustache is long, straight, and points directly out to the sides. Started with just curling the corners with some wax, and I wanted to make a loop.
Uh-huh. But it turns out every time it gets hot, my hair is stubborn.
And that loop turns into a hoop. So I just started keeping it straight instead.
Dutch is 43. And his real name is Matthew.
I tend to go by Dutch because there's just too many mats everywhere you go. Right.
I was the Dutch mat. And then it just became Dutch.
The Dutch? Are you Dutch? Yeah, yeah. It's, well, you know, family name, Van Andel.
Grandparents were Dutch, so I'm like third generation, something like that. The first sign that Dutch's life was about to be turned upside down happened last spring.
So in May, we have our credit cards stolen. We're racking up thousands of dollars in these fraudulent credit card charges on like all of our credit cards.
And it's really bizarre and I can't figure out what exactly is going on. Other weird things happened too.
Like, his computer slowed down to the point where he couldn't even use it. And then he got a suspicious login notification to his work account that he didn't recognize.
But July is when he knew something was really up. That's when he got a message on Discord, a platform popular with gamers.
And there's this suspicious direct message. The person's like, Frank, something, something.
And ordinarily, I just delete unsolicited direct messages from strangers. But this one was really long.
The thing that caught his attention was that the message included details from a conversation he'd had on his work Slack account. It was a chat about his lunch.
I think there is no way they should have this. There's no way they should have that Slack conversation.
Slack was Disney's internal messaging platform at the time. And it's supposed to be private.
No one outside the company should have been able to see those messages. The only way they have that Slack conversation is somehow my work computer is compromised.
So immediately, I closed the work computer. Dutch came to the conclusion that he'd been hacked.
He got in touch with Disney's information security team, or InfoSec. It responds to the company's IT emergencies.
And I say, hey, I got this thing, it sounds like an extortion message, and they have a thing in there from Slack that they should not have access to. Dutch says InfoSec looked into it and said his work laptop looked fine, and that he should check his personal computer.
So Dutch ran an antivirus program. And immediately it picks up this file, Vision LLM, in my downloads.
It says, oh, Trojan detected. So I'm like, Vision LLM, what is that? I can barely remember it.
Vision LLM, that AI plugin Dutch had downloaded so that his kids could generate images of Easter bunnies and Roblox characters. That program had a hidden virus.
So I look it up, and I find this Reddit thread where somebody's like, this is malware, it steals all your passwords. If you downloaded this, change all of your passwords immediately, like right now, that somebody has your passwords.
So I let InfoSec know, I'm like, you know, I think they maybe got in through my PC.

Dutch said that Disney's InfoSec agreed.

And they told him that a hacker had also gotten into Disney systems.

And they were downloading massive amounts of data.

And that's where it starts setting in, like, this panic.

You know, I'm still not sure, like, how they had gotten to the Disney system. So, like, you know, we're trying to work through.
It's like, well, how could they get past the two-factor authentication? While Dutch was on the phone with InfoSec, he also had his email account open. And he noticed a spammy-looking message show up in his inbox.
He deleted it. But then he got another one right away.
And this one is exactly the same as the Discord.

So they're definitely trying to get a hold of me, you know?

And the timing is also weird.

Like, it's like, why am I getting this now

while I'm, like, here in my email?

Mm-hmm.

Like, are they watching me somehow?

Yes.

And I, like, kind of panic, and I, like, hit the trash button. And then they send a third email saying, we saw what you did.
Oh my God. That's where things start to get bad.
You know they're watching you. In that third email, the hacker also sent a threat.
It said, quote, respond, do what we want, or end up on the net. They're not just in Slack.
They're in my email. That means they're probably in my Discord.
And I'm thinking, how? How is this possible? It doesn't take long for me to figure out, maybe just a few seconds, they're in my 1Password. It is the only way.
1Password is a password manager. It's considered a way to protect your digital life.
And it's often recommended by security experts as a way to make sure you don't get hacked. The hacker was able to get into Dutch's 1Password account because Dutch didn't have two-factor authentication turned on.
That's those codes that get pushed to your phone to make sure it's really you. Getting access to his 1Password account was bad.
Because not only did Dutch store all of his passwords there, he also stored personal information like birth certificates and social security numbers. Information that Dutch had been accumulating for a decade.
And not only that, Dutch also used 1Password for 2-factor authentication codes. Meaning that by accessing his 1Password account, the hacker got Dutch's passwords and his two-factor codes.
It was like they had the ultimate master key to Dutch's entire digital life. And I tell Infosec, oh my god, I think they got my 1Password.
They have to have my two-factor codes. This is the only way they could get into this stuff.
So at that point, you know, they're like, okay, well, you need to work on securing your personal stuff. Once he realized this, Dutch had a lot of work to do.
So the game plan, like, immediately I'm like, how do I get them out? And they have threatened to retaliate.

So I think, okay, I need to secure our financial accounts first.

Secure bank accounts and all financials.

Secure social media.

Secure medical.

Secure all this sensitive personal stuff as fast as I could right now.

And did you buy a new computer to do all this stuff?

Because they're in your computer, right?

They're on my gaming PC, yes.

I've already determined that

my wife's MacBook is fine.

So I'm working on that. I'm working on

her MacBook.

So first I secure those accounts as quickly

as I can. Change the passwords and all that.

Yeah. And

we just start erasing

everything. We're reformatting

computers. I just go straight through the night.
Dutch said he got a call from Disney's InfoSec team the next morning, and they told him that the hacker had doxed him and his family, meaning they followed through on their threat to put Dutch's information online. All of his personal information, his passwords, his family's birth certificates, everything was now now available for anyone to see.
Accounts are now actively hijacked. Like, people are getting into them, they're sabotaging them, they're, you know, changing passwords and vandalizing accounts.
You know, my kids' Roblox accounts were hijacked and stolen and they changed the passwords and tried to lock us out. And I'm just, at this point now, not only am I trying to make my way through the list, but I'm trying to recover things as they're being taken.
I'm trying to actively block people who are trying to get into things. And it's just nonstop.
Meanwhile, at his employer, Disney, they were having problems with the hacker too.

And Dutch's nightmare was about to get a lot worse.

That's next.

This is The same morning that a hacker made all of Dutch's personal information public, they also released massive amounts of Disney data online. Troves of confidential information, including things like passport numbers for cruise workers and sales of theme park passes and streaming data.
Disney is investigating a July data leak of its internal Slack channels. Hacktivist group called Null Bulge has come out saying it has leaked more than one terabyte of information from Disney's Slack.
That's a software platform. That one terabyte of Disney data included more than 44 million Slack messages,

18,000 spreadsheets, and 13,000 PDFs. And the hacker got it all through Dutch.
Saying it gained access through a Slack user who had cookies. Disney says it's investigating the matter.
The Wall Street Journal was the first news outlet to report the contents of what the hacker released. The stolen information gave a rare look inside the inner workings of a big company.
There were discussions of ad campaigns, studio technology, and information about unreleased projects. There was even revenue data about each of Disney's streaming services, which had never been made public before.
In a regulatory filing last summer, Disney said it was investigating the incident, but that it wasn't expected to have a material impact on its operations or financial performance. Among the things that the hacker put out there in the data dump was also a claim that Dutch was in on it.
And then I start getting messages from press. The media is starting to reach out to me.
You know, people are messaging me on LinkedIn and saying, why did you hack your employer? Because you can trust something that a hacker says on their website as they dox that person. Dutch says that he was not part of the hack.
So a week goes by, again, I'm fending people off still. People are just actively, day and night, nonstop trying to get into things.
I'm still, like, having panic attacks every time my phone makes a sound. You know, like, you get the notifications as people are trying to get in.
Like, ding, ding, ding, ding, ding, ding. Eventually, after Dutch finished changing all of his passwords, things started to calm down, and he tried to get back to his job.
And I'm like, okay, maybe I should see if I can start doing a little bit of work again. And I get this call and it's from a Disney area code.

So I pick it up and, you know,

they introduce themselves from like Disney HR and they're like,

how are you doing Dutch?

And I go, well, you know, I'm surviving.

And they go, well, the reason we called, you know, is during the investigation of your computer, we discovered that you had accessed pornographic content. And I'm like, I'm completely at a loss.
I'm thinking, well, they, I guess they must have called the wrong person. And I'm like, no, I'm the one that was hacked and um and I go well we

determined that uh this has nothing to do with that um and I'm like well it's but that's not true and I go well because you access pornographic content on a company computer you're being terminated

effectively

immediately

I don't remember pornographic content on a company computer, you're being terminated effective immediately.

I don't remember much after that.

Dutch denies ever viewing pornography on his work computer.

In a statement, a Disney spokesperson said his denial is, quote,

firmly refuted by the company's review of his company-issued device.

After you found out that you had been fired, like, what were you feeling?

Felt like my life was over.

Everything I had built, everything I had worked for, my relationships, projects, reputation.

It's all gone. I thought I was going to retire there.
You know, I never thought when I started working there that I would work for a big company. But Disney is one of the few companies I actually felt kind of good about.
Dutch said losing his job felt worse than getting hacked and doxxed. You know, this whole week, I had been surviving on the support of all these people at Disney,

calling me, checking in, reaching out, making sure I'm okay,

saying, look, this could happen to anybody.

Don't beat yourself up over it. It's not your fault, you know?

And then this.

Up until that point, did it feel like's not your fault. You know? And then this.
Up until that point,

did it feel like they had your back?

It did. I thought they did.

I thought they supported

me. I thought they were going to protect me.

And my support network is gone.

Again, you know, that's...

I've been there for a long time. You spend more

time with those people than you do with your own

family. Your co-workers, yeah.

Yes. I considered many of them genuine friends.
Dutch ended up finding another tech job in December. And he says he's been in touch with the FBI about the hack.
Still, he felt burned by Disney. It's like my identity was tied up there,

and it was just taken away, you know?

I don't know.

It just feels like I'm in my 40s, you know?

I'm not getting any younger,

but my career has been thrown way, way, way back,

and there's no catching up.

There's no getting it back.

So he decided to sue.

In February, he filed a wrongful termination lawsuit against Disney,

alleging slander and whistleblower retaliation

for speaking out against the company's cybersecurity standards.

Disney did not comment on the lawsuit.

I always thought that I had a good security posture.

Obviously, little oversights are all it takes.

I want to say hackers are getting sophisticated,

but it's not even a matter of sophistication.

It's just they can throw very wide nets, very unsophisticated wide nets, and just have patience. I didn't think about this computer being anything other than a toy.
I always figured, if you get some malware on there, you know, reformat Windows. Just maybe lose some games, reinstall them.
You know, what's the worst that could possibly happen on there? That's all for today. Monday, March 17th.

The Journal is a co-production of Spotify and The Wall Street Journal.

Additional reporting in this episode by Bob McMillan, Sarah Krause, and Robbie Whelan.

Thanks for listening. See you tomorrow.