Walt Disney Co. is facing a class action lawsuit accusing the company of negligence, breach of implied contract, and other misconduct related to a significant data breach earlier this year. The lawsuit, filed by plaintiff Scott Margel in Los Angeles County Superior Court, also alleges that Disney violated privacy laws by failing to adequately prevent the breach or inform affected individuals of its scope.
The class members, potentially numbering in the thousands, include individuals who provided “highly sensitive personal information” to Disney, particularly in relation to their employment. The lawsuit references a Wall Street Journal article from September, which reported that a hacking group called NullBulge leaked vast amounts of Disney’s internal data, including over 18,800 spreadsheets, 13,000 PDFs, and 44 million Slack messages. This compromised data allegedly contained sensitive information from Disney Cruise Line employees and passengers, such as passport numbers, visa details, birthplaces, addresses, and phone numbers.
NullBulge claimed to have leaked around 1.2 terabytes of Disney data, citing the company’s treatment of artists, its stance on AI, and disregard for consumers as reasons for the breach. The group told CNN they accessed Disney’s systems through “a man with Slack access who had cookies.” Disney has since stated that it is investigating the breach and reportedly planned to stop using Slack after the incident.
The complaint highlights that the plaintiff and class members remain unaware of which specific data was stolen, how it was compromised, and what measures are being taken to secure their personal information going forward. They are left uncertain about where their data has ended up or how it may be used.
Margel is demanding that Disney strengthen its security systems and provide education on the risks posed by the breach. He is also seeking unspecified damages and has requested a jury trial.