He Wanted an AI Tool. It Led to a Massive Hack at Disney. - The Journal.

Summary4 min read

Podcast Summary: "He Wanted an AI Tool. It Led to a Massive Hack at Disney."

The Journal by The Wall Street Journal & Gimlet presents a gripping narrative about how a seemingly harmless AI tool led to a devastating cyber-attack on one of the world's largest entertainment conglomerates, Disney. Hosted by Ryan Knutson and Kate Linebaugh, the episode delves deep into the personal and professional turmoil experienced by Dutch Van Andel, a software engineering manager at Disney, whose life was upended by a sophisticated cyber breach.

1. Introduction to Dutch Van Andel

The story centers around Dutch Van Andel, a 43-year-old software engineering manager living in the suburbs of Los Angeles. Until last year, Dutch led an ordinary life—married with two kids, managing a team at Disney. However, his acquisition of an AI tool would set off a chain of events leading to a massive security breach.

Notable Quote:

Dutch Van Andel (00:08): "I didn't even realize it was that long ago at first until after the FBI had visited."

2. The Innocuous AI Tool: Vision LLM

Dutch downloaded Vision LLM, an AI program designed to generate images for his children, such as Easter bunnies and Roblox characters. Unbeknownst to him, the software contained malicious code that provided hackers access to his personal computer.

Notable Quote:

Dutch Van Andel (00:54): "Generate pictures of Easter bunnies and Roblox people and, you know, stuff like that."

3. The Onset of the Cyber Attack

Shortly after installing Vision LLM, Dutch began experiencing unusual activities:

May: His credit cards were compromised, incurring fraudulent charges.
July: He received a suspicious direct message on Discord containing details from his private work Slack conversations, signaling that his work computer was breached.

Notable Quotes:

Dutch Van Andel (04:03): "We have our credit cards stolen. We're racking up thousands of dollars in these fraudulent credit card charges."

Dutch Van Andel (05:05): "I think there is no way they should have this."

4. Discovery of the Breach and Initial Response

Realizing the severity of the situation, Dutch contacted Disney's Information Security Team (Infosec). An antivirus scan revealed that Vision LLM was a Trojan containing malware designed to steal personal information.

Notable Quotes:

Dutch Van Andel (06:02): "Immediately it picks up this file Vision LLM in my downloads and says, oh, Trojan detected."

Dutch Van Andel (08:25): "They're watching you."

5. Escalation: Doxxing and Mass Data Leak

The situation deteriorated when the hacker group, Noel Bulge, executed their threat by leaking over one terabyte of Disney's internal data, including 44 million Slack messages, spreadsheets, and confidential PDFs. Simultaneously, Dutch's personal information was exposed online, exacerbating the crisis.

Notable Quotes:

Dutch Van Andel (10:46): "Accounts are now actively hijacked."

Ryan Knudsen (12:50): "The hacker was able to get into Dutch's 1Password account because Dutch didn't have two-factor authentication turned on."

6. Personal and Professional Fallout

As Dutch grappled with his compromised digital life, Disney also faced its internal turmoil. Amidst the investigation, Dutch was accused of accessing pornographic content on his work computer—a claim he vehemently denied. Consequently, Disney terminated his employment, leaving Dutch feeling betrayed and devastated.

Notable Quotes:

Dutch Van Andel (16:19): "Felt like my life was over."

Ryan Knutson (16:54): "Dutch said losing his job felt worse than getting hacked and doxxed."

7. Legal Action and Current Status

In February, Dutch filed a wrongful termination lawsuit against Disney, alleging slander and retaliation for highlighting the company's inadequate cybersecurity measures. Despite finding new employment by December and maintaining contact with the FBI, Dutch remains disheartened by the loss of his career and reputation.

Notable Quote:

Dutch Van Andel (18:35): "I want to say hackers are getting sophisticated, but it's not even a matter of sophistication. It's just they can throw very wide nets."

8. Insights and Lessons Learned

Dutch's ordeal underscores the vulnerabilities inherent in personal and corporate cybersecurity. It highlights the importance of:

Robust Security Measures: Implementing two-factor authentication and regularly updating security protocols.
Vigilance with Software Downloads: Assessing the legitimacy of software sources to prevent malware infections.
Swift Response Strategies: Having a clear action plan to mitigate breaches and protect sensitive information.

Notable Quote:

Dutch Van Andel (19:35): "I didn't think about this computer being anything other than a toy. I always figured if you get some malware on there... what's the worst that could possibly happen on there?"

9. Conclusion

The episode of The Journal presents a cautionary tale of how a simple decision to use an AI tool can lead to catastrophic personal and corporate consequences. Dutch Van Andel's story serves as a stark reminder of the ever-present threats in the digital age and the imperative need for comprehensive cybersecurity practices.

Additional Notes:

Production Credits: This episode was co-produced by Spotify and The Wall Street Journal, with additional reporting by Bob McMillan, Sarah Kraus, and Robbie Whelan.
Exclusions: Advertisements and non-content sections from the transcript have been omitted to maintain focus on the core narrative.

This detailed summary encapsulates the pivotal moments and underlying themes of the podcast episode, providing a comprehensive overview for listeners and non-listeners alike.

Loading summary

Transcript80 lines

[00:06]
Ryan Knudsen
Where does this story start?
[00:08]
Dutch Van Andel
So I'm not quite sure. So, you know, I didn't even realize it was that long ago at first until after the FBI had visited. And I told them I would put together like a detailed timeline for them.
[00:24]
Ryan Knudsen
This is Dutch Van Andel. Up until last year, he lived a pretty ordinary life. He's a software engineering manager, married with two kids and lives in the suburbs of Los Angeles. But last year, something happened that turned his ordinary life upside down. It started when Dutch downloaded a seemingly innocuous program onto his personal computer. It was an AI software called Vision LLM. And it could generate images he wanted, something his sons could play with, like.
[00:54]
Dutch Van Andel
Generate pictures of Easter bunnies and Roblox people and, you know, stuff like that.
[00:59]
Ryan Knudsen
He didn't know it at the time, but the program had a malicious code in it, a code that gave a hacker access to Dutch's computer. And over a period of months, that hacker stole all of Dutch's personal information, like his bank accounts and passwords.
[01:15]
Dutch Van Andel
They're getting into things they shouldn't have because they've got my Social Security number, they've got my birth date, they've got my email address. You can just make a phone call and pretend to be me because you have this information.
[01:26]
Ryan Knudsen
It was a nightmare. And it wasn't just his personal life that was hacked through Dutch. The hacker also got inside his employer, Disney. Disney has apparently been hit by a cyber attack. The hacking group Noel Bulge says it leaked thousands of internal Disney messages after breaching. While Dutch's story is unusual, his life online wasn't. And what happened to him could happen to almost anyone.
[01:55]
Dutch Van Andel
These people, they may not be targeting you, but just because you work for somebody that they find interesting, they will destroy you to get at it.
[02:07]
Ryan Knudsen
Welcome to the Journal, our show about money, business and power. I'm Ryan knudsen. It's Monday, March 17th. Coming up on the show, what it feels like to be at the center of a major hack on one of the world's largest companies.
[02:25]
Dutch Van Andel
Foreign.
[02:33]
HubSpot
This episode of the Journal is brought to you by HubSpot. It takes a lot to grow your business. You've got to attract audiences, score leads, manage all the channels. But with Breeze, HubSpot's new AI tools, it's never been easier to be a marketer and crush your goals fast. Which means pretty soon your company will have a lot to celebrate. Like 110% more leads in just 12 months. Visit HubSpot.com marketers to learn more.
[03:08]
Ryan Knudsen
That is one impressive mustache.
[03:10]
Dutch Van Andel
Thank you.
[03:12]
Ryan Knudsen
Dutch's mustache is long, straight, and points directly out to the sides.
[03:16]
Dutch Van Andel
Started with just curling the corners with some wax, and I wanted to make a loop, but it turns out every time it gets hot, my hair is stubborn and that loop turns into a hoop. So I just started keeping it straight instead.
[03:35]
Ryan Knudsen
Dutch is 43, and his real name is Matthew.
[03:38]
Dutch Van Andel
I tend to go by Dutch because there's just too many mats everywhere you go.
[03:44]
Ryan Knudsen
Right.
[03:44]
Dutch Van Andel
I was the Dutch mat, and then it just became Dutch.
[03:48]
Ryan Knudsen
The Dutch. Are you Dutch?
[03:49]
Dutch Van Andel
Yeah, yeah. It's, well, you know. Family name Van Andel. Grandparents were Dutch, so I'm like third generation, something like that.
[03:59]
Ryan Knudsen
The first sign that Dutch's life was about to be turned upside down happened last spring.
[04:04]
Dutch Van Andel
So in May, we have our credit cards stolen. We're racking up thousands of dollars in these fraudulent credit card charges on, like, all of our credit car. And it's really bizarre. And I can't figure out what exactly is going on.
[04:20]
Ryan Knudsen
Other weird things happened, too. Like his computer slowed down to the point where he couldn't even use it. And then he got a suspicious login notification to his work account that he didn't recognize. But July is when he knew something was really up. That's when he got a message on Discord, a platform popular with gamers.
[04:41]
Dutch Van Andel
And there's this suspicious direct message. The person's like, frank, something, something. And ordinarily, I just delete unsolicited direct messages from strangers, but this one is really long.
[04:57]
Ryan Knudsen
The thing that caught his attention was that the message included details from a conversation he'd had on his work Slack account. It was a chat about his lunch.
[05:06]
Dutch Van Andel
I think there is no way they should have this. There's no way they should have that Slack conversation.
[05:13]
Ryan Knudsen
Slack was Disney's internal messaging platform at the time, and it's supposed to be private. No one outside the company should have been able to see those messages.
[05:21]
Dutch Van Andel
The only way they have that Slack conversation is somehow my work computer is compromised. So immediately, I closed the work computer.
[05:32]
Ryan Knudsen
Dutch came to the conclusion that he'd been hacked. He got in touch with Disney's Information Security Team, or Infosec. It responds to the company's IT emergencies.
[05:44]
Dutch Van Andel
And I say, hey, I got this thing. It sounds like an extortion message. And they have a thing in there from Slack that they should not have access to.
[05:53]
Ryan Knudsen
Dutch says Infosec looked into it and said his work laptop looked fine and that he should check his personal computer. So Dutch ran an antivirus program, and.
[06:03]
Dutch Van Andel
Immediately it picks up this file Vision LLM in my downloads and says, oh, Trojan detected. So I'm like, vision LLM, what is that? I can barely remember it.
[06:17]
Ryan Knudsen
Vision LLM, that AI plugin Dutch had downloaded so that his kids could generate images of Easter bunnies and Roblox characters. That program had a hidden virus.
[06:27]
Dutch Van Andel
So I look it up and I find this Reddit thread where somebody's like, this is malware. It steals all your passwords. If you downloaded this, change all of your passwords immediately. Like right now that somebody has your passwords. So I let Infosec know. I'm like, you know, I think they may be got into my PC.
[06:45]
Ryan Knudsen
Dutch said that Disney's Infosec agreed and they told him that a hacker had also gotten into Disney systems and they were downloading massive amounts of data.
[06:54]
Dutch Van Andel
And that's where it starts setting in, like this panic. You know, I'm still not sure, like, how they had gotten to the Disney system. So like, you know, we're trying to work through. It's like, well, how, how could they get past, like the Two Factor authentication?
[07:10]
Ryan Knudsen
While Dutch was on the phone with Infosec, he also had his email account open and he noticed a spammy looking message show up in his inbox. He deleted it, but then he got another one right away.
[07:23]
Dutch Van Andel
And this one is exactly the same as the Discord. So they're definitely trying to get a hold of me, you know, and the timing is also weird. Like, it's like, why am I getting this now while I'm like, here in my email?
[07:39]
Ryan Knudsen
Like, are they watching me somehow?
[07:41]
Dutch Van Andel
Yes. And I like kind of panic and I like hit the trash button. And then they send a third email saying, we saw what you did.
[07:49]
Ryan Knudsen
Oh my God.
[07:51]
Dutch Van Andel
That's where things start to get bad. You know, they're watching you.
[07:58]
Ryan Knudsen
In that third email, the hacker also sent a threat. It said, quote, respond, do what we want, or end up on the net.
[08:08]
Dutch Van Andel
They're not just in Slack, they're in my email. That means they're probably in my Discord. And I'm thinking, how? How is this possible? It doesn't take long for me to figure out, maybe just a few seconds. They're in my 1Password. It is the only way.
[08:25]
Ryan Knudsen
1Password is a password manager. It's considered a way to protect your digital life, and it's often recommended by security experts as a way to make sure you don't get hacked. The hacker was able to get into Dutch's 1Password account because Dutch didn't have two factor authentication turned on. That's those codes that get pushed to your phone to make sure it's really you. Getting access to his 1Password account was bad because not only did Dutch store all of his passwords there, he also stored personal information like birth certificates and Social Security numbers, information that Dutch had been accumulating for a decade. And not only that, Dutch also used 1Password for two factor authentication codes, meaning that by accessing his 1Password account, the hacker got Dutch's passwords and his two factor codes. It was like they had the ultimate master key to Dutch's entire digital life.
[09:15]
Dutch Van Andel
And I tell InfoSec, oh, my God, I think they got my 1 password. They have to have my 2 factor codes. This is the only way they could get into this stuff. So at that point, you know, they're like, okay, well, you. You need to work on securing your personal stuff.
[09:36]
Ryan Knudsen
Once he realized this, Dutch had a lot of work to do.
[09:39]
Dutch Van Andel
So the game plan, like, immediately, I'm like, how do I. How do I get them out? And they have threatened to retaliate. So I think, okay, I need to secure our financial accounts first, secure bank accounts and all financials, secure social media, secure medical secure, all this, like, sensitive personal stuff as much as fast as I could right now.
[09:59]
Ryan Knudsen
And did you, like, buy a new computer to do all this stuff? Because they're in your computer, right?
[10:03]
Dutch Van Andel
They're on my gaming PC, yes. I've already determined that my wife's MacBook is fine, so I'm working on that. I'm working on her MacBook. So first I secure those accounts as.
[10:15]
Ryan Knudsen
Quickly as I can, change the passwords and all that.
[10:18]
Dutch Van Andel
Yeah. And we just start erasing everything. We're reformatting computers. I just go straight through the night.
[10:26]
Ryan Knudsen
Dutch said he got a call from Disney's InfoSec team the next morning, and they told him that the hacker had doxxed him and his family, meaning they followed through on their threat to put Dutch's information online. All of his personal information, his passwords, his family's birth certificates, everything was now available for anyone to see.
[10:47]
Dutch Van Andel
Accounts are now actively hijacked. Like, people are getting into them. They're sabotaging them. They're, you know, changing passwords and vandalizing accounts. You know, my kids, Roblox accounts were hijacked and stolen, and they changed the passwords and tried to lock us out. And I'm just at this point now, not only am I trying to make my way through the list, but I'm trying to recover things as they're being taken. I'M trying to actively block people who are trying to get into things and it's just non stop.
[11:23]
Ryan Knudsen
Meanwhile, at his employer, Disney, they were having problems with the hacker too. And Dutch's nightmare was about to get a lot worse. That's next.
[11:43]
Polestar
This episode is brought to you by Polestar Electric. Performance is at the core of every choice that went into the all electric Polestar 3. Like merging a spacious interior with the torque and handling of a sports car, or the ability to go from 0 to 60 in as little as 4.8 seconds and get an EPA estimated range of up to 315 miles per charge. Choices like this all lead to making your decision to choose Polestar 3. Obvious book your test drive today at polestar.com.
[12:19]
Ryan Knudsen
The same morning that a hacker made all of Dutch's personal information public, they also released massive amounts of Disney data. Online troves of confidential information, including things like passport numbers for cruise workers and sales of theme park passes and streaming data. Disney is investigating a July data leak of its internal Slack channels.
[12:41]
Dutch Van Andel
Hacktivist group called Null Bulge has come out to saying it has leaked more than one terabyte of information from Disney's Slack. That's a Software platform.
[12:51]
Ryan Knudsen
That 1 terabyte of Disney data included more than 44 million Slack messages, 18,000 spreadsheets and 13,000 PDFs. And the hacker got it all through.
[13:02]
HubSpot
Dutch, saying it gained access through a Slack user who had cookies. Disney says it's investigating the matter.
[13:09]
Ryan Knudsen
The Wall Street Journal was the first news outlet to report the contents of what the hacker released. The stolen information gave a rare look inside the inner workings of a big company. There were discussions of ad campaigns, studio technology and information about unreleased projects. There was even revenue data about each of Disney's streaming services, which had never been made public before. In a regulatory filing last summer, Disney said it was investigating the incident, but that it wasn't expected to have a material impact on its operations or financial performance. Among the things that the hacker put out there in the data dump was also a claim that Dutch was in on it.
[13:49]
Dutch Van Andel
And then I start getting messages from press. The media's starting to reach out to me. You know, people are messaging me on LinkedIn and saying why did you hack your employer? Because you can trust something that a the hacker says on their website as they dox that person.
[14:10]
Ryan Knudsen
Dutch says that he was not part of the hack.
[14:14]
Dutch Van Andel
So a week goes by. Again, I'm fending people off still. People are just actively day and night, non stop trying to get into things. I'm I am still like having panic attacks every time my phone makes a sound. You know, like, you get the notifications as people are trying to get in, like, ding, ding, ding, ding, ding, ding.
[14:38]
Ryan Knudsen
Eventually, after Dutch finished changing all of his passwords, things started to calm down and he tried to get back to his job.
[14:46]
Dutch Van Andel
And I'm like, okay, maybe, maybe I should see if I can start doing a little bit of work again. And I get this call and it's from a Disney area code. So I pick it up and they introduce themselves from like Disney hr. And they're like, how are, how are you doing, Dutch? And I go, well, you know, I'm surviving. And they go, well, the, the reason we called, you know, is during the investigation of your computer, we, we discovered that you had accessed pornographic content. And, and, and I'm like, I'm, I'm completely at a loss. I, I'm thinking, well, they, I guess they must have called the wrong person. And I'm like, no, I'm, I'm the one that was hacked. And, and they go, well, we determined that this has nothing to do with that. And I'm like, well, that's, but that's not true. And they go, well, because you access pornographic content on a company computer, you're being terminated, effective immediately. I don't remember much after that.
[16:02]
Ryan Knudsen
Dutch denies ever viewing pornography on his work computer. In a statement, a Disney spokesperson said his denial is, quote, firmly refuted by the company's review of his company issued device. After you found out that you had been fired, like, what were you feeling?
[16:20]
Dutch Van Andel
Felt like my life was over. Everything I had built, everything I had worked for, my relationships, projects, reputation, it's all gone. I thought I was going to retire there. You know, I never thought when I started working there that I would work for a big company, but Disney is one of the few companies I actually felt kind of good about.
[16:50]
Ryan Knudsen
Dutch said losing his job felt worse than getting hacked and doxxed.
[16:55]
Dutch Van Andel
You know, this whole week I had been surviving on the support of all these people at Disney, calling me, checking in, reaching out, making sure I'm okay, saying, look, this could happen to anybody. Don't beat yourself up over it. It's not your fault. You know, and then this, up until.
[17:15]
Ryan Knudsen
That point, did it feel like they had your back?
[17:20]
Dutch Van Andel
It did. I thought they did. I thought, I thought they supported me. I thought they were going to protect me. And my support network is gone again. You know, that's, I've been there for a long time. You spend more time with those people. Than you do with your own family, your co workers.
[17:37]
Ryan Knudsen
Yeah.
[17:38]
Dutch Van Andel
Yes. I considered many of them genuine friends.
[17:43]
Ryan Knudsen
Dutch ended up finding another tech job in December, and he says he's been in touch with the FBI about the hack. Still, he felt burned by Disney.
[17:52]
Dutch Van Andel
It's like my identity was tied up there and it was just taken away, you know, I don't know, it. It just feels like I. I'm in my 40s, you know, I'm not getting any younger. But my career has been thrown way, way, way back, and there's no catching up. There's no getting it back.
[18:18]
Ryan Knudsen
So he decided to sue. In February, he filed a wrongful termination lawsuit against Disney, alleging slander and whistleblower retaliation for speaking out against the company's cybersecurity standards. Disney did not comment on the lawsuit.
[18:35]
Dutch Van Andel
I always thought that I was. I had a good security posture. Obviously, little oversights are all it takes it. You know, I want to say hackers are getting sophisticated, but it's not even a matter of sophistication. It's just they can throw very wide nets, very unsophisticated wide nets, and just have patience. I didn't think about this computer being anything other than a toy. I always figured if you get some malware on there, you know, reformat Windows, just maybe lose some games, reinstall them. You know, what's the worst that could possibly happen on there?
[19:36]
Ryan Knudsen
That's all for today. Monday, March 17. The Journal is a co production of Spotify and the Wall Street Journal. Additional reporting in this episode by Bob McMillan, Sarah Kraus and Robbie Whelan. Thanks for listening. See you tomorrow.