Walt Disney was targeted by hackers who obtained sensitive internal company data including revenue figures from its Disney+ and ESPN+ streaming services as well as its Genie theme park passes, according to a report.
A cyber-criminal operation known as “NullBulge” uploaded more than 1.1 terabytes of data in July that also included internal Slack messages in which employees sound off on the company’s battle with Florida Gov. Ron DeSantis over so-called “Don’t Say Gay” legislation.
NullBulge, whom authorities believe is a lone hacker based in the US, also published data including computer code and details about unreleased projects, according to The Wall Street Journal, which cited the group’s blog post.
NullBulge also got its hands on internal spreadsheets detailing the revenue generated from Disney’s Genie+ theme park passes in 2021.
Genie+ is the paid service whereby visitors to Disney World and Disneyland can purchase access to a “Lightning Lane” that allows them to skip regular lines for major attractions.
The service, whose cost varies depending on the level of demand for rides, has emerged as a key revenue stream for the company.
According to documents contained in the hack, Genie+ passes brought in more than $724 million in pretax revenue between October 2021 and June of this year fat Walt Disney World.
Earlier this year, Disney made changes to the Genie+ system after visitors complained that it was confusing and cumbersome.
The leaked documents also included internal spreadsheets about Disney+, the company’s television streaming service.
According to the documents, Disney+ generated more than $2.4 billion in revenue in the quarter which ended in March — or 43% of the revenue generated by the company’s direct-to-consumer business which includes Hulu and ESPN+.
Disney does not publicly disclose revenue generated by individual streaming services — disappointing investors who have been eager for the data.
Some of the Slack channels that were raided by hackers also contained personal information about staff aboard Disney cruises such as passport numbers, visa details, places of birth and physical addresses, the Journal reported.
The hackers also got their hands on Slack messages from as many as 10,000 different channels that contain conversations about job applicants, upcoming projects, employee programs and website development and ad campaigns going back as far as 2019.
“We decline to comment on unverified information The Wall Street Journal has purportedly obtained as a result of a bad actor’s illegal activity,” a Disney spokesperson told the Journal.
