The Disney-Slack Data Breach of 2024

Highlighting the importance of securing organizational shadow IT, The Walt Disney Company suffered a significant cybersecurity breach between April and May of 2024. A total of 1.1 terabytes of corporate data was exfiltrated through the compromise of an employee’s Slack account. While initial reports attributed the attack to a Russian hacktivist group named "Nullbulge," it was later revealed that Ryan Mitchell Kramer, a 25-year-old man from Santa Clarita, California, was responsible. He had used the alias “Nullbulge” to obscure his identity.

Kramer orchestrated the breach by distributing a malicious file disguised as an AI art program on platforms such as GitHub. When a Disney employee downloaded the program, Kramer gained unauthorized access to the individual's stored credentials via the 1Password password manager. With these credentials, Kramer infiltrated thousands of internal Slack channels. The stolen data included 44 million Slack messages, 18,800 spreadsheets, and 13,000 PDFs—many containing sensitive business information such as unreleased project details, proprietary source code, financial records, and confidential communications.

According to a statement from the Department of Justice in May 2025, Kramer contacted the compromised employee, Mathew Van Andel, threatening to publish both the stolen corporate data and Van Andel’s personal information unless demands were met. When Van Andel did not respond, Kramer leaked the data on a well-known hacking forum, BreachForums, in July 2024. The DOJ confirmed that Kramer has agreed to plead guilty to two felony charges: one count of unauthorized access to a computer and another of threatening to damage a protected computer. Each charge carries a statutory maximum sentence of five years in federal prison.

The implications of the breach reverberated through both the entertainment and tech sectors. Customers, partners, and investors voiced their disbelief and anger over how a breach could affect such reputable brands. Social media exploded with debates on security, trust, and concerns over potential misuse of the compromised data.

The root cause of Disney’s breach lay in gaps within the company's security policies surrounding its use of Slack. Although Slack itself adhered to industry-standard security practices—including encryption and multi-factor authentication—it operates under a shared responsibility model typical of SaaS platforms. This model places the burden of access control and usage policies on the client organization. While Disney has since transitioned from Slack to Microsoft 365 for internal communications, the 2024 breach stands as a cautionary tale of the vulnerabilities created by unmanaged shadow IT and the need for robust endpoint and identity management across modern enterprises.