Corporate Misconduct Accountability Project
The Walt Disney Company · Class Action
Disney Data Breach Exposed Employees and Guests After Security Failures
A July 2024 cyberattack on Disney’s Slack channels exposed over one terabyte of sensitive employee and guest data, including passports, medical information, and visa details. Employees learned about the breach from media reports, not Disney, months after the incident.
CRITICAL SEVERITY
TL;DR
In July 2024, hackers infiltrated Disney’s internal Slack channels and accessed over one terabyte of sensitive data from thousands of employees and guests, including names, addresses, dates of birth, passport numbers, visa information, medical records, and employee assignments. Disney failed to secure this data with adequate encryption or security measures despite being a multi-billion dollar corporation. Employees and guests were not notified for months and learned about the breach through media outlets rather than direct notification from Disney.
This case shows how cost-cutting on data security can leave workers and consumers vulnerable to identity theft for years.
1+ TB
Sensitive employee and guest data stolen by hackers
44M+
Slack messages exposed in the breach
18,800+
Spreadsheet files leaked containing personal information
$2.4B
Disney+ revenue in Q2 2024 alone, showing resources available
The Allegations: A Breakdown
Core Allegations
What Disney Did · 8 points
| 01 | Disney stored highly sensitive employee and guest data, including passport numbers, visa information, dates of birth, addresses, and medical information, without adequate encryption or security protection on its internal Slack channels. | high |
| 02 | Hackers from the group NullBulge infiltrated Disney’s Slack workplace channels in July 2024 and accessed over one terabyte of data, including more than 44 million messages, 18,800 spreadsheet files, and 13,000 PDFs containing personal information. | high |
| 03 | Disney failed to promptly notify affected employees and guests after discovering the breach in July 2024. Victims learned about the breach from Yahoo and Wall Street Journal articles published in September 2024, not from Disney directly. | high |
| 04 | Disney continued to collect and store personal information on vulnerable systems even after the company knew or should have known about security vulnerabilities that were exploited in the breach. | high |
| 05 | The company failed to implement industry-standard security measures such as data encryption, adequate employee training on handling sensitive information, regular security audits, and behavior monitoring to detect unauthorized access. | high |
| 06 | Disney did not adequately train employees to avoid uploading personally identifiable information to Slack channels or to recognize and prevent security threats. | medium |
| 07 | The breach exposed data belonging to both adults and children, including those covered under employee benefit plans, placing minors at heightened risk of identity theft. | high |
| 08 | Disney violated California’s Customer Records Act by failing to inform customers of unauthorized access to their personal information expeditiously and without delay, waiting months to provide any notification. | high |
Regulatory Failures
Why Oversight Failed · 6 points
| 01 | Disney violated the Federal Trade Commission Act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information, which the FTC has established as an unfair practice. | high |
| 02 | The company breached California’s Confidentiality of Medical Information Act by disclosing medical information to unauthorized persons without obtaining consent and failing to maintain confidentiality of that information. | high |
| 03 | Disney violated California’s Customer Records Act by allowing unauthorized access to customers’ personal medical information and then failing to inform them when the unauthorized use occurred for 159 days in the plaintiff’s case. | high |
| 04 | Despite clear legal obligations under California Civil Code sections 56.10 and 56.101 to protect patient medical information, Disney’s misconduct directly resulted in unauthorized disclosure of sensitive health data to third parties. | high |
| 05 | No regulatory body immediately stepped in to protect impacted individuals after the breach, leaving victims without guidance or support for months while their data circulated among potential identity thieves. | medium |
| 06 | The patchwork of state and federal data privacy laws allowed Disney to exploit gaps in regulation, adopting minimal security standards rather than comprehensive protection measures. | medium |
Profit Over People
Cost Cutting on Security · 7 points
| 01 | Internal spreadsheets leaked in the breach revealed that Disney+ alone generated more than 2.4 billion dollars in revenue in the second quarter of 2024, demonstrating the company had substantial resources available to invest in data security. | high |
| 02 | Disney chose to prioritize short-term profit margins over necessary cybersecurity investments, treating data protection as a discretionary expense rather than a core operational requirement. | high |
| 03 | The company externalized the costs of inadequate security onto employees and guests, who must now bear the burden of credit monitoring, identity theft protection, and potential lifetime consequences of compromised personal data. | high |
| 04 | Disney failed to implement adequate security measures despite being a large, sophisticated organization with resources to deploy robust cybersecurity protocols, instead accepting data breach risk as an acceptable cost of doing business. | high |
| 05 | The company knew or should have known that reasonable consumers would want their personal information kept secure and would not have engaged with Disney had they known the information systems were substandard. | medium |
| 06 | Disney was aware that if the substandard condition and vulnerabilities in their information systems were disclosed, it would negatively affect employee and customer decisions to engage with the company. | medium |
| 07 | The corporation established a policy of accepting collateral damage to employees and guests as incidental to business operations rather than accepting the costs of full compliance with responsible data security practices. | high |
Economic Fallout
Who Pays the Price · 7 points
| 01 | Victims of medical identity theft face average total costs of about 20,000 dollars per incident and must pay out-of-pocket costs for healthcare they did not receive in order to restore coverage. | high |
| 02 | Almost half of medical identity theft victims lose their healthcare coverage as a result of the incident, while nearly one-third see their insurance premiums rise, and forty percent are never able to resolve their identity theft at all. | high |
| 03 | Employees and guests must now spend time and money on credit monitoring, identity theft insurance, self-monitoring accounts, and seeking legal counsel to remedy and mitigate the effects of the breach for the rest of their lives. | high |
| 04 | The compromised personal information can be sold on the dark web, where personal information sells for 40 to 200 dollars, bank details for 50 to 200 dollars, and stolen credit card numbers for 5 to 110 dollars, with access to entire company data breaches selling for 999 to 4,995 dollars. | high |
| 05 | Victims suffer lost opportunity costs associated with effort expended and loss of productivity addressing and attempting to mitigate actual and future consequences of the breach, including time researching how to prevent, detect, contest, and recover from identity theft. | medium |
| 06 | The stolen data may be held for up to a year or more before being used to commit identity theft, and once stolen data has been sold or posted online, fraudulent use of that information may continue for years. | high |
| 07 | Employees and guests face continued risk to their personal information which remains in Disney’s possession and is subject to further unauthorized disclosures as long as Disney fails to undertake appropriate and adequate protective measures. | medium |
Worker Exploitation
Employees Left Vulnerable · 7 points
| 01 | Employees were required to provide highly sensitive personal, financial, health, and insurance information to Disney as a condition of employment, creating a relationship of trust that Disney violated by failing to protect that data. | high |
| 02 | Workers discovered their personal information had been compromised not through direct notification from their employer, but by reading news articles published months after the breach occurred. | high |
| 03 | Disney employees’ passport numbers, visa information, employee assignments, dates of birth, and addresses were all exposed to unauthorized third parties who can use this information for identity theft and fraud. | high |
| 04 | The breach violated the implied contract between Disney and its employees, in which workers provided sensitive personal data in exchange for the company’s promise to safeguard and protect that information using reasonable security methods. | high |
| 05 | Employees face imminent and impending injury from the substantially increased risk of fraud, identity theft, and misuse resulting from their personal information being placed in the hands of unauthorized third parties and criminals. | high |
| 06 | Workers suffer anxiety and increased concerns for loss of privacy, as well as anxiety over the impact of cybercriminals accessing, using, and selling their personal and financial information. | medium |
| 07 | Disney’s failure to provide timely and clear notification of the breach prevented employees from taking meaningful, proactive steps to secure their personal information and protect themselves from identity theft. | high |
Public Health and Safety
Medical Data at Risk · 6 points
| 01 | The breach exposed protected health information and medical data belonging to employees and their families, placing them at risk of medical identity theft, one of the most common, expensive, and difficult-to-prevent forms of identity theft. | high |
| 02 | Medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013, more than identity thefts involving banking, finance, government, military, or education. | high |
| 03 | Victims of medical identity theft often experience financial repercussions and frequently discover erroneous information has been added to their personal medical files due to the thief’s activities, which can affect their ability to receive proper healthcare. | high |
| 04 | The exposure of health insurance plan member IDs, claims data, and clinical information puts employees at risk of having insurance benefits stolen, facing denial of medical services, or receiving wrongful billing for treatments they never received. | high |
| 05 | Medical identity theft victims can experience inaccurate medical records that follow them throughout their lives, potentially affecting diagnoses, treatment decisions, and insurance eligibility in ways that directly threaten their physical health and safety. | high |
| 06 | Children whose health information was compromised in the breach face unique vulnerabilities, as medical identity theft affecting minors can go undetected for years and cause devastating consequences when they reach adulthood. | high |
Corporate Accountability Failures
Avoiding Responsibility · 8 points
| 01 | Disney disregarded the rights of employees and guests by intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure their personal information was safeguarded. | high |
| 02 | The company failed to follow applicable, required, and appropriate protocols, policies, and procedures regarding encryption of data, even for internal use, despite knowing these measures were necessary. | high |
| 03 | Disney knew or should have known of the susceptibility of its data security systems to breach, the importance of adequate security, and the risks inherent in collecting and storing personal information, yet failed to act on that knowledge. | high |
| 04 | The corporation knew about numerous well-publicized data breaches across industries but failed to take appropriate steps to protect employee and guest information from being compromised despite clear warning signs. | high |
| 05 | Disney failed to implement processes to quickly detect the data breach in a timely manner and failed to act upon data security warnings and alerts, allowing the breach to remain undetected and unreported for months. | high |
| 06 | The company failed to adequately address and fix the vulnerabilities that permitted the breach to occur, leaving employees’ personal information subject to ongoing risk of further unauthorized access. | medium |
| 07 | Disney breached its duty to notify employees and guests of the unauthorized access by waiting months after learning of the breach to provide any notification, and then failing to provide sufficient information about the extent of the compromise. | high |
| 08 | The corporation’s conduct demonstrates gross negligence in light of foreseeable risks and known threats, willfully failing to abide by duties owed to employees and guests despite obvious dangers. | high |
Exploiting Delay
Concealing the Breach · 6 points
| 01 | Disney discovered the data breach in or around July 2024 but did not inform affected individuals for months, with some employees learning about it 159 days after the breach occurred. | high |
| 02 | The delay in notification prevented employees and guests from taking immediate protective measures such as placing fraud alerts on credit reports, requesting new passports or identification documents, or monitoring for identity theft. | high |
| 03 | Victims remain in the dark about what particular data was stolen, what specific malware was used, and what steps are being taken to secure their information going forward, leaving them to speculate about the full impact. | medium |
| 04 | Disney’s failure to provide timely and clear notification violated California law requiring businesses to inform affected individuals expeditiously and without unreasonable delay when personal information has been compromised. | high |
| 05 | The company concealed the existence and extent of the breach for an unreasonable duration of time, failing to provide prompt and accurate notice to employees and guests about the compromise of their sensitive data. | high |
| 06 | Through their failure to provide timely notification, Disney prevented victims from understanding when or for how long the breach occurred, making it impossible for them to assess their true level of risk and exposure. | medium |
The Bottom Line
What This Means · 6 points
| 01 | Disney’s data breach was preventable through proper planning and correct design and implementation of appropriate security solutions, including encryption and monitoring of Slack channels containing sensitive data. | high |
| 02 | Organizations that collect, use, store, and share sensitive personal data must accept responsibility for protecting that information and ensuring it is not compromised through lax security and failure to enforce security policies. | high |
| 03 | The breach demonstrates how inadequate data security practices at large corporations can leave thousands of employees and guests vulnerable to identity theft, financial fraud, and medical identity theft for the rest of their lives. | high |
| 04 | Employees and guests have suffered and will continue to suffer damages including actual identity theft, loss of privacy, out-of-pocket expenses, lost time and productivity, continued risk to their information, and future costs to prevent and recover from identity theft. | high |
| 05 | The case illustrates the broader pattern in which corporations minimize overhead by skimping on necessary protective measures, externalizing the costs onto individuals while internalizing profits from cost savings. | high |
| 06 | Without meaningful legal consequences, robust regulatory enforcement, and systemic changes that make security and ethics integral to corporate strategy, data breaches will continue to be treated as acceptable costs of doing business. | high |
Timeline of Events
July 2024
Hacker group NullBulge infiltrates Disney’s internal Slack channels and begins accessing employee and guest data
July 2024
Disney discovers the data breach but does not immediately notify affected employees or guests
September 7, 2024
Yahoo publishes article revealing the Disney data breach, marking the first time many employees learn of the incident
September 2024
Wall Street Journal publishes report detailing sensitive nature of leaked files, including personal data of Disney staff
October 3, 2024
Scott Margel files class action lawsuit against Disney in Los Angeles Superior Court on behalf of all affected individuals
Direct Quotes from the Legal Record
QUOTE 1
Massive Data Exposure
allegations
“According to the article, a hacker group called ‘NullBulge’ gained access to over 1 terabyte of sensitive data from Disney after infiltrating the company’s internal Slack channels. Now, a new report by the Wall Street Journal, which actually viewed the leaked files, uncovered more about the sensitive nature of the data in the stolen files, including personal data of Disney staff members.”
💡 This confirms the breach exposed a massive volume of sensitive employee data, not just minor information.
QUOTE 2
Scope of Compromised Information
allegations
“The leak consists of more than 44 million messages found in Disney’s Slack workplace channels. This also includes around 18,800 spreadsheet files and 13,000 PDFs. The data leaked by the hackers was limited to files Disney employees posted in a Disney Slack channel, with both private and public channels affected.”
💡 The sheer volume of compromised files demonstrates systemic security failures across Disney’s communications infrastructure.
QUOTE 3
Financial Resources Available
profit
“According to internal spreadsheets found in the leaked data, ‘Disney+’ alone made more than $2.4 billion in revenue in the second quarter of 2024.”
💡 This proves Disney had substantial financial resources to invest in proper data security but chose not to prioritize it.
QUOTE 4
Notification Failure
delay_tactics
“Representative Plaintiff(s) and Class Members have yet to receive a letter from Defendant, stating that their PHI/PII and/or financial information has been involved in the Data Breach. Representative Plaintiff(s) and Class Members became aware of the Data Breach through articles.”
💡 Victims learned about the breach from media reports rather than direct notification from Disney, violating legal obligations.
QUOTE 5
Intentional Security Failures
accountability
“Defendants disregarded the rights of Representative Plaintiff(s) and Class Members by intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Representative Plaintiff(s)’ and Class Members’ PHI/PII was safeguarded, failing to take available steps to prevent an unauthorized disclosure of data, and failing to follow applicable, required and appropriate protocols, policies and procedures regarding the encryption of data, even for internal use.”
💡 The complaint alleges Disney’s failures were not accidental but represented willful disregard for data protection duties.
QUOTE 6
Known Cyber Threat Landscape
accountability
“Defendants’ negligence in safeguarding Representative Plaintiff(s)’ and Class Members’ PHI/PII is exacerbated by repeated warnings and alerts directed to protecting and securing sensitive data, as evidenced by the trending data breach attacks in recent years.”
💡 Disney had clear notice of rising cyber threats across industries but failed to take adequate protective measures.
QUOTE 7
Preventable Breach
conclusion
“Defendants could have prevented the Data Breach, which began as early as July 2024 by properly securing and encrypting and/or more securely encrypting their servers generally, as well as Representative Plaintiff(s)’ and Class Members’ PHI/PII.”
💡 Security experts confirm the breach was preventable with industry-standard encryption and security protocols.
QUOTE 8
Medical Identity Theft Severity
health
“A study by Experian found that the average total cost of medical identity theft is ‘about $20,000’ per incident, and that a majority of victims of medical identity theft were forced to pay out-of-pocket costs for healthcare they did not receive in order to restore coverage. Almost half of medical identity theft victims lose its healthcare coverage as a result of the incident, while nearly one-third saw its insurance premiums rise, and forty percent were never able to resolve its identity theft at all.”
💡 This demonstrates the severe and often permanent financial and medical consequences victims face from compromised health data.
QUOTE 9
Long-Term Risk to Victims
economic
“There may be a time lag between when harm occurs versus when it is discovered, and also between when PHI/PII and/or financial information is stolen and when it is used. According to the U.S. Government Accountability Office (GAO), which conducted a study regarding data breaches: ‘[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.'”
💡 Victims face lifetime risk of identity theft since stolen data can be exploited years after the initial breach.
QUOTE 10
Regulatory Violation
regulatory
“By the acts described above, Defendants violated the CRA by allowing unauthorized access to customers’ personal medical information and then failing to inform them when the unauthorized use occurred for weeks or months, and in the case of Plaintiff, for 159 days, thereby failing in their duty to inform their customers of unauthorized access expeditiously and without delay.”
💡 Disney violated California’s Customer Records Act by waiting over five months to notify at least one victim of the breach.
QUOTE 11
Medical Information Exposure
regulatory
“As defined in the CMIA, California Civil Code §56.05(j), Defendants disclosed ‘medical information’ to unauthorized persons without obtaining consent, in violation of §56.10(a). Defendants’ misconduct, including failure to adequately detect, protect, and prevent unauthorized disclosure, directly resulted in the unauthorized disclosure of Representative Plaintiff’s and Class Members’ PHI/PII to unauthorized persons.”
💡 The breach violated California’s strict medical privacy laws by exposing protected health information without consent.
QUOTE 12
Breach Was Business Decision
profit
“Defendants have clearly established a policy of accepting a certain amount of collateral damage, as represented by the damages to Representative Plaintiff and Class Members herein alleged, as incidental to their business operations, rather than accept the alternative costs of full compliance with fair, lawful, and honest business practices ordinarily borne by responsible competitors of Defendants.”
💡 This alleges Disney made a calculated business decision to accept breach risk rather than invest in proper security.
QUOTE 13
Industry Standard Violations
accountability
“Most of the reported data breaches are a result of lax security and the failure to create or enforce appropriate security policies, rules, and procedures. Appropriate information security controls, including encryption, must be implemented and enforced in a rigorous and disciplined manner so that a data breach never occurs.”
💡 Security experts confirm that breaches like Disney’s result from failure to implement standard protective measures, not sophisticated attacks alone.
QUOTE 14
Dark Web Data Market
economic
“Numerous sources cite dark web pricing for stolen identity credentials. For example, personal information can be sold at a price ranging from $40 to $200, and bank details have a price range of $50 to $200. Experian reports that a stolen credit or debit card number can sell for $5 to $110 on the dark web. Criminals can also purchase access to entire company data breaches from $999 to $4,995.”
💡 This shows the monetary value of stolen personal data and confirms cybercriminals will profit from exploiting Disney breach victims.
QUOTE 15
Unjust Enrichment
profit
“Since Defendants’ profits, benefits, and other compensation were obtained by improper means, Defendants are not legally or equitably entitled to retain any of the benefits, compensation or profits they realized from these transactions.”
💡 By failing to invest in proper security, Disney reaped financial benefits at the expense of employees and guests who were harmed.
Frequently Asked Questions
What information was stolen in the Disney data breach?
Hackers accessed over one terabyte of data including names, addresses, dates of birth, passport numbers, visa information, employee assignments, medical records, health insurance information, claims data, clinical information, and financial details. The breach exposed more than 44 million Slack messages, 18,800 spreadsheet files, and 13,000 PDF documents containing this sensitive information.
When did the Disney data breach happen?
The breach occurred in July 2024 when hackers from the group NullBulge infiltrated Disney’s internal Slack channels. However, Disney did not notify affected employees and guests for months. Many victims learned about the breach from Yahoo and Wall Street Journal articles published in September 2024, not from Disney directly.
Why didn’t Disney notify employees about the breach immediately?
The lawsuit alleges Disney violated California law by failing to inform affected individuals expeditiously and without unreasonable delay. Some employees learned about the breach 159 days after it occurred. The complaint suggests this delay was part of a pattern where corporations control public perception and limit liability rather than prioritizing victim protection.
How could Disney have prevented this breach?
According to the complaint, Disney could have prevented the breach by properly encrypting data stored on Slack channels, implementing adequate employee training about handling sensitive information, conducting regular security audits, monitoring user behavior to detect threats, and following industry-standard cybersecurity protocols. Security experts state that most data breaches result from lax security and failure to enforce appropriate policies, not unavoidable sophisticated attacks.
What are the risks to people whose data was stolen?
Victims face lifetime risk of identity theft, medical identity theft, financial fraud, and related crimes. Medical identity theft is particularly severe, with average costs of $20,000 per incident. Almost half of medical identity theft victims lose healthcare coverage, one-third see insurance premiums rise, and 40 percent never resolve the theft. Stolen data can be held for a year or more before being used, and fraudulent use may continue for years once data is sold on the dark web.
Why did Disney have access to passport and medical information?
Employees were required to provide highly sensitive personal, financial, health, and insurance information to Disney as a condition of employment. This included passport numbers and visa information for work eligibility verification, as well as medical and health insurance data for employee benefits. Disney collected and stored this information but failed to protect it with adequate security measures.
What laws did Disney allegedly violate?
The lawsuit alleges Disney violated California’s Customer Records Act, the Confidentiality of Medical Information Act, unfair business practices laws, and the Federal Trade Commission Act. Disney also allegedly breached implied contracts with employees and engaged in negligence and unjust enrichment by failing to safeguard personal data while benefiting financially from inadequate security investments.
How much money does Disney have to invest in security?
Internal spreadsheets leaked in the breach revealed that Disney+ alone generated more than $2.4 billion in revenue in the second quarter of 2024. The complaint argues this demonstrates Disney had substantial financial resources available to invest in proper data security but chose to prioritize short-term profits over protective measures.
What damages can victims recover in this lawsuit?
The lawsuit seeks actual damages, statutory damages, punitive damages, restitution, and injunctive relief. Victims may recover compensation for out-of-pocket expenses for identity theft protection and credit monitoring, lost time and productivity, emotional distress, loss of privacy, the diminished value of their personal information, future costs to prevent and recover from identity theft, and any actual identity theft or fraud that occurs.
What can I do if my information was exposed in this breach?
If you are a current or former Disney employee or guest whose information may have been compromised, you should immediately place fraud alerts on your credit reports with all three credit bureaus, consider freezing your credit, monitor all financial and medical accounts for suspicious activity, request new identification documents if passport or visa information was exposed, document all time and expenses related to the breach, and contact a class action attorney to discuss your legal rights. You may be entitled to join this lawsuit or file your own claim.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
