In a recent podcast interview with Cybercrime Magazine's host, David Braue, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, discusses a recent data breach affecting information from Disney, including a range of financial strategy details that shed light on the entertainment giant's operations. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Scott, welcome to the podcast.
Scott: Great to be here with you, David.
David: So, Scott, there's been a bit of a breach. Recently, this was quite an interesting one. We've talked about all kinds of problems that companies have run into, but this one involves no less than Disney, that massive entertainment giant. We all know and love Disney, and they seem to have had a slight problem with a data breach recently. Tell us about what happened.
Scott: Yeah, absolutely. And you're right. I think, just thinking about this brand perspective. Everybody knows Disney. Anybody that has kids probably has been to Disney, has bought merchandise, so there's a connection that's kind of near and dear to all of us with Disney, one way or another, and we make certain assumptions, I think, with a strong brand, we assume they always have strong cybersecurity measures in place, so on and so forth. But as we often talk about, nobody's immune to data breaches and hacks, and in this case, they suffered a pretty significant data breach here that really exposed thousands of Disney cruise line customers and employees. A lot of their personal information. And the part I guess that's interesting about this one is the data. It was over 44 million Slack messages were stolen as well as close to 20,000 spreadsheets and 13,000 PDFs. And it had sensitive information on it. Home addresses, visa information, passport numbers, all things associated when we travel on a cruise, and that's certainly very concerning, as well as a lot of other small information. But the platform, Slack, is really, in a sense, like a chat room for a company or an organization and it's often used instead of using email as a primary means of communication. And many companies have some platform that they kind of settle on and once they get settled on it, everybody uses it, and they share lots of information. Sometimes it's private information, sometimes personal information. In this case, also some sensitive information. So I think, as this one unfolds, we're going to learn a lot more. And I think the brand Disney is probably going to take a hit here, and Mickey's not going to be happy.
David: No, he's definitely not going to be happy at all. I mean, this is a tool that the largest companies in the world use. Slack is a repository for quite a lot of confidential information. I mean, people use it to communicate internally. They use it, I imagine, quite casually. They use it quite formally to communicate with executives, share ideas, spitball things. I mean, we now have the contents of nearly 10,000 public and private chat channels that have been downloaded. And you know that's gold for someone that wants to find out more about Disney. They really have got the keys to the Magic Kingdom here, haven't they?
Scott: Yes, well said there, and I think Slack is something that when you look at large companies, and some smaller ones, too, the number of organizations I think it's more than 750,000 organizations use Slack every single day. They've got over 2,500 employees. So it's well established. It's well known. It's a very effective means of communication and sharing information and files and all that. Hence, the problem when you have to deal with cybersecurity concerns and a breach like this is really a bad thing.
David: Definitely. And I mean, as you said, you'd think a company like this would be investing heavily in security, and I'm sure that Disney has invested quite significantly. I'm sure they've got pretty strong teams of cybersecurity experts. I mean, these are no 'Dumbos.' These are people that are really out there to protect quite a lot of information. Quite a lot of systems. This is customer-facing. This is backend stuff. This is streaming. This is, as you said, cruise ships. This is theme parks. I mean, this is a lot of different operations, and there's no way they didn't think about security. But it turns out from what we're understanding. This was just because one account got compromised.
Scott: Yeah. And that's a really good point you bring up, David. Sometimes, that's all it takes. It's that one vulnerability that's exploited. In this case it was a single account with Slack that they got through, and I think the hacker group that's taking claim for this, it's believed to be called 'NullBulge' and they're really behind the breach. They infiltrated Disney's system through that single Slack access. And that's a weak spot. And that's typically how things happen. All it takes is one spot. Somebody exploits it. They get in there, and they move across the network. And it tells us the importance for companies to shore up everything and be diligent, to constantly check and protect that there's no weak spots in a company, and I think, usually between not just the spend on cybersecurity, but bringing in third parties to really constantly recheck and do a penetration test. Probably one of the most effective ways to really find where there are weak points and access points that somebody could get in, that they could be exploited. And then, obviously, it goes down the chain. When you find these weak spots, the importance of educating employees and everybody from A to Z in the loop. So they realize, hey, we got to all work together as a team here, and I'm sure Disney does do that, but I guess not enough was done here, unfortunately.
David: All it takes is one executive with 12345 as their password. And there you go, right? This is the concern. I mean. This is a reminder. Probably what's happened is that you know this is the case where someone has used the same password for their Slack account as they've used for other accounts. And then the other accounts get breached. I mean, we hear this all the time, and when you happen to use the same credentials for personal business and your business accounts. It really does create a risk for your employer that they may not have anticipated. They would expect that people are doing a better job.
Scott: Exactly, and I think this speaks to a larger, probably concern. The focus here is obviously Disney, which is a huge corporation, so many moving parts, and affects so many people. But then, what about those other 750,000 companies that rely on communication platforms like Slack each day, that share very similar type of things? Are they too vulnerable? Is the question that I ask in the back of my mind, and what things could be done to strengthen that so it doesn't happen again. And unfortunately, with all large corporations, and when sensitive information is compromised, there's always monetary damages and impending lawsuits that are seeking for damages and things like that that shareholders outraged, and others that say, 'Hey, Disney, step up to the plate here, what are you going to do about this? What commitment can we get from you that this won't happen again? And how do you protect our data better? And what provisions you're going to put forth from a cybersecurity perspective, and practices to strengthen the corporation so this can happen again, and individuals won't face these different types of risks.' So that's a lot of questions for Disney now to answer while there's still an ongoing investigation and they're trying to kind of see through the weeds. It could be very challenging.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's cimcor.com slash CIMTRAK
And now, back to the podcast.
David: I mean, they've got so many people to answer to. And unlike a lot of companies where it's usually the customers that they're apologising to. I mean, this goes really to the heart of the company. I mean, you've got employees, social security numbers, passports, confidential information, I suspect, buried in there. We even can find out what Steamboat Willie was being paid. This is fundamental stuff, but particularly you mentioned the stakeholders like, you know, the shareholders, the markets. I have a great interest in this kind of information, and some of this stuff is really pretty revealing, I mean, for a massive company with so many stakeholders to have financials leaked, projections exposed. There was presentations in there, the spreadsheets about pretty current financial information. I mean, we now know that, for example, the Genie Plus Pass, which is New Park Pass that was introduced in 2021, generated over 724 million dollars in pre-tax revenue just at Walt Disney World alone in 2 and a half years. I mean, so this is a lot of information that hasn't been released publicly before, and really does have real-world implications for the company. This is the kind of threat vector that you really don't anticipate.
Scott: Yeah, the eye-opener. Sometimes when there's disclosure reminds me, back in the days when there was the Sony breach. And suddenly, now all these celebrities that many people loved and some hated. Suddenly you learn what their salaries are, and this one's paid more than that one, and some of the I call it the dirt behind the scenes you learn about, and it changes people's perspective on a company or an organization, and that really speaks to the, in this case, Disney's reputation and customer trust and then how closely that's tied in to the importance of corporate responsibility and data protection because they kind of go hand in hand. Once those things are revealed and out in the open. You can't take them back.
People now hear these things, and sometimes it tarnishes a company, and sometimes it doesn't. But I think Disney, unfortunately, has to move forward. They can't put their Goofy hat on. No pun intended, you know. They have to step up to the plate and be transparent and tell people. 'Hey look, here's what's happened. Here's a mistake was made. We're going to own it, and we're going to do the following things going forward.' And hopefully, that's going to be happening in the coming days and weeks. As this all unfolds, an investigation kind of proceeds, and I think that will help them rebuild their brand quickly. Look at the Target breach many years ago same thing happened. They stepped up to the plate. It took some time, but they were able to rebuild the brand. Target's a very strong brand, much stronger now than it was back in 2013 when they suffered the biggest credit card breach.
JP Morgan Chase, one of the most powerful banks in the world. They suffered a massive breach a number of years back, but again they spent the money in the right places. They built up their reputation and rebuilt their customer trust, and spent the money. And that's the key. Unfortunately, it costs money to do things right in the world of cybersecurity when you're a monmouth corporation in this world.
David: That's definitely true. And when you try to recover from something like this, it's pretty significant. I mean, we're talking about a huge customer base using a pretty fundamental platform trying to extricate yourself from something like Slack and to extricate all this information retrain your users. There are reports that Disney is actually switching to another platform. It's not clear which one it's going to be yet. But I mean, how can they make sure that a similar thing doesn't happen? You know, this really does seem to be sort of deck chairs on the Titanic, I suppose, is the metaphor, but the concern is that the same thing could easily happen to the new platform. And what do you do then? Can you avoid this sort of thing?
Scott: It's hard, unfortunately, in the world we live in today with so much rich data, and all of us, unfortunately, are so tied into our devices, our tablets, our computers, our smartphones. We have to take some time and back up from things and ask ourselves, Where are we storing this information? Is it properly protected? Does everybody need to have access to it? Are we too open in communication sometimes? I think sometimes we are. We share too much and not thinking ahead. What are the consequences if this party were reading this? And I think that's some of the dangers I think we're going to be going back to good old paper and pencil sometimes. It's sad, but it does keep things safer. When you look at the big picture.
David: It definitely is, and this is a hit for Salesforce, you know. Slack has really become the de facto, I guess the corporate grade iMessage, as it were, or any number of messaging platforms that are out there. Slack advertises a lot of features which are very useful, but to see that it can be that compromised that easily would be eye-opening. And it's not really the first time it's been compromised, either. Understand that Uber and Activision had breaches a little while back. It's risky.
Scott: Yeah, it really is. I think when you look at this, any corporation, when they start standardizing on packages and large platforms like Slack, they have to be concerned because you're kind of putting all your eggs in one basket, and unless you really do your due diligence, and not just vet it upfront, but ongoing to make sure that these platforms are secure and your staff is properly trained to work and align with that there's going to be risks there, there's a level of risk. You're looking at productivity versus cybersecurity risks. And you're measuring that trade-off constantly and kind of that risk balance assessment that you have to make. And that is certainly one of the more daunting tasks, I'm sure, for Disney as they have it happening. I'm sure in hindsight, if they look back, yeah, do they want to take Tinkerbell's magic wand and make it all disappear? Sure. But it's not that easy.
David: Very true. Now we talked about the credentials and the cybercriminals are out there clearly harvesting credentials all the time these things are being published online, you can get billions and billions of email accounts, user IDs passwords, basically without very much effort at all. Could a company like Disney have, I guess, potentially avoided this by being more proactive about patrolling those data breaches and looking to see if any of its employees have been compromised? I mean is that something that potentially could have allowed them to flag these accounts early on?
Scott: Yeah, absolutely. And even if Disney themselves didn't have the time or wherewithal to do it, there's a lot of companies you can hire. There's experts out there that will do that work for you. So it's really taking the time and spending some money to actually go out there and say, 'Hey, let's check and go out there in these repositories and see, is there any credentials tied to our company that could cause a potential damage that could cause a potential breach.' And they find out quick usually, I mean, I know myself when my company was targeted and we were hacked. This goes back many years. I worked with an Israeli company, and they went on the dark web and they searched for my name, my company's name, and a bunch of other things, and they quickly. This was in about 24 hours they got back to me and showed me conclusive evidence that there was information on the dark web with known notorious hackers targeting me, and the alarm bells went up, and it allowed me to react quickly and prevent further damage from happening. But if I didn't have that knowledge very quickly. I couldn't have taken action. More damage could have been done. More money could have been lost, more brand damage to our company's name could have been done. So is Disney doing that? Have they been doing it? Don't know. Should they have been? Absolutely.
And I think the claim, and again, this is still kind of under investigation from this hacker group, NullBulge. They claim that the attack was a protest against Disney's approach to AI and, to some degree, the treatment of creative professionals. So, in a sense, it kind of reminded me of almost like an activist movement or something. Where there's 'Hey, there's, you know, strength in numbers behind the scenes. We're going to speak up. And we're the voice in the world of cyber that's going to teach you guys a lesson,' you know, we'll see as this again unfolds. Is there dirt in there? In some of the Slack messages that find out about that they do suppress creative talent and professionals and other things like that. It could be the case. We don't know. I don't want to speculate on it, but it's interesting that somebody's making that that's the claim with this hacker group is saying, well, here's the real reason behind it. We're fighting the big guy, so it remains to be seen. But it will be interesting as this develops the story further.
David: Just fighting the man. It's an interesting idea. I mean, you're protesting the treatment of creatives by compromising, probably arguably, the largest creative organization in the world, and challenging its financial viability, which what could possibly go wrong with that, right? The implications of this will become more clear over time. This is the kind of thing that really probably has a pretty long tail, doesn't it? I mean, we're talking so much data that humans trolling through this is going to take a while before they pick up some more nuggets. So far, they've had a few, haven't they?
Well, this is the, I guess the challenge with the collaboration platform like this. I mean, this isn't the 1st time this even happened to Disney earlier in the year. They had a server that was compromised, a confluence server, and 2 and a half gigs of data was stolen from Club Penguin, which was, you know, one of those services that many of us will know from our kids. I certainly remember that one and that was published as well. So you know, this is happening, and there's no guarantee. It won't happen again.
Scott: Yeah. And I think this probably will not be the last, unfortunately. And this is true again. No, we're not just singling out Disney. This is really all large corporations, and I think that there's just a trove of information and value there that you can't plug up all the holes in the dam, unfortunately, and all you got to do is exploit that one weakness, and it's probably happening to all the larger corporations. It's just we hear about it when there's a level of success, and especially when it's noteworthy and tied to a larger brand. Then it really is going to make the headlines, and it's going to get out there to the mass media. It's unfortunate, but we'll see if certainly how Disney responds to it. To me, that really tells you the stature of a company.
If they respond properly, they will rebuild customer trust. They will still have long lines of people paying to get into their parks and on their cruise ships and buy their characters, and so on and so forth, because when you build a good strong brand, I think you can be resilient if you keep working at keeping it strong.
David: Very, very true. And certainly, if a company like Disney can't recover from something like this, who can in the end
Scott: Exactly. Exactly.
David: Yeah. Well, it's definitely an issue. And it's going to be an interesting one to see how this continues to evolve and see how they pivot away from this, and try to make sure that they'll be more secure in the future. I mean, I guess the lesson that we've all learned from this is that a platform like this is fundamentally important to the company. But you know it can be a beauty and a beast at the same time.
Scott, it's been great chatting with you. Thanks so much for your time.
Scott: Yes, thank you, too, enjoyed it. Thanks, David.
