Disney is facing a class action lawsuit over a significant data breach that reportedly exposed sensitive personal information of thousands of employees and some cruise line passengers.
The legal action, filed in Los Angeles County Superior Court by Scott Margel, accuses Disney and Disney California Adventure of negligence, breach of implied contract, and violation of privacy laws in their handling of the data breach and its aftermath.
According to the Wall Street Journal, the breach involved more than 18,800 spreadsheets, 13,000 PDFs, and 44 million internal Slack messages. The compromised data included highly sensitive information about Disney cruise employees, such as passport numbers, visa details, birthplaces, and physical addresses. At least one spreadsheet contained personal details of Disney Cruise Line passengers.
How Disney hackers got in
The hacking group NullBulge claimed responsibility for leaking approximately 1.2 terabytes of Disney data in July. The group said it gained access through "a man with Slack access who had cookies" and cited Disney's treatment of artists, approach to AI, and "blatant disregard for the consumer" as motivations for the attack.
The 32-page complaint alleges that affected individuals "remain in the dark regarding which particular data was stolen, the particular malware used, and what steps are being taken, if any, to secure their personal information going forward."
The lawsuit estimates thousands of employees who provided sensitive personal information to Disney as part of their employment have been affected.
In response to the breach, Disney reportedly plans to discontinue its use of the Slack communication platform. A spokesperson said that Disney is "investigating this matter," but provided no further details.
Disney legal action
The legal action demands that Disney strengthen its security systems and educate affected individuals about potential risks associated with the breach. The plaintiff is also seeking unspecified damages and has requested a jury trial.
The case highlights growing concerns about corporate data security and the responsibility of employers to protect employee information in an increasingly digital workplace. It also raises questions about communication protocols following such breaches and the extent of corporate responsibility in safeguarding sensitive personal data.