The Journal. - He Wanted an AI Tool. It Led to a Massive Hack at Disney.
Episode Date: March 17, 2025Matthew Van Andel’s ordinary life unraveled when he accidentally downloaded a trojan horse that gave a hacker access to his entire computer. But the hacker didn’t just get Van Andel’s informatio...n. It also got his employer: Disney. Further Reading: -A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. -How to Keep Hackers From Destroying Your Digital Life Further Listening: -Six Days of Chaos at MGM's Casinos -Hack Me If You Can Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Where does this story start?
So I'm not quite sure.
So you know, I didn't even realize it was that long ago at first until after the FBI
had visited and I told them I would put together like a detailed timeline for them.
This is Dutch Van Andel.
Up until last year, he lived a pretty ordinary life.
He's a software engineering manager,
married with two kids,
and lives in the suburbs of Los Angeles.
But last year, something happened
that turned his ordinary life upside down.
It started when Dutch downloaded
a seemingly innocuous program onto his personal computer.
It was an AI software called Vision LLM, and it could generate images.
He wanted something his sons could play with.
Like, generate pictures of Easter buddies and Roblox people, you know, stuff like that.
He didn't know it at the time, but the program had a malicious code in it.
A code that gave a hacker access to Dutch's computer.
And over a period of months,
that hacker stole all of Dutch's personal information,
like his bank accounts and passwords.
They're getting into things they shouldn't have
because they've got my social security number,
they've got my birth date, they've got my email address.
You could just make a phone call and pretend to be me
because you have this information."
It was a nightmare.
And it wasn't just his personal life that was hacked.
Through Dutch, the hacker also got inside his employer, Disney.
Disney has apparently been hit by a cyber attack.
The hacking group NoBulge says it leaked thousands of internal Disney messages.
While Dutch's story is unusual, his life online wasn't. And what happened to him
could happen to almost anyone. These people, they may not be targeting you, but just because
you work for somebody that they find interesting, they will destroy you to get at it.
Welcome to The Journal,
our show about money, business, and power.
I'm Ryan Knudson.
It's Monday, March 17th.
Coming up on the show,
what it feels like to be at the center of a major hack
on one of the world's largest companies. With audio erase on the new Samsung Galaxy S25 Ultra, you can reduce or remove unwanted noise
and relive your favorite moments without the distractions.
And that's not all.
New Galaxy AI features like NowBrief
will give you personalized insights
based on your day schedule
so that you're prepared no matter what.
Buy the Samsung Galaxy S25 Ultra now at samsung.com.
at samsung.com.
That is one impressive mustache. Thank you.
Dutch's mustache is long,
straight, and points directly out to the sides.
Started with just
curling the corners with some wax,
and I wanted to make a loop.
Uh-huh.
But it turns out, every time it gets hot,
my hair is stubborn and that loop turns into a hoop.
So I just started keeping it straight instead.
Dutch is 43 and his real name is Matthew.
I tend to go by Dutch because there's just too many Mat's everywhere you go.
I was the Dutch Mat and then just became Dutch. because there's just too many Matts everywhere you go. Right.
I was the Dutch Mat. And then just became Dutch.
The Dutch... Are you Dutch?
Yeah, yeah. It's, well, you know, family name, Van Andel.
Grandparents were Dutch, so I'm like third generation, something like that.
The first sign that Dutch's life was about to be turned upside down
happened last spring.
So in May, we have our credit cards stolen. We're racking up thousands of dollars in these fraudulent credit card charges on like
all of our credit cards.
And it's really bizarre and I can't figure out what exactly is going on.
Other weird things happened too.
Like his computer slowed down to the point where he couldn't even use it.
And then he got a suspicious login notification to his work account that he didn't recognize.
But July is when he knew something was really up.
That's when he got a message on Discord, a platform popular with gamers.
And there's this suspicious direct message.
The person's like, Frank something, something.
And ordinarily, I just delete unsolicited direct messages from strangers.
But this one was really long.
The thing that caught his attention was that the message included details from a conversation he'd had on his work Slack account.
It was a chat about his lunch.
I think there is no way they should have this.
There's no way they should have that Slack conversation.
Slack was Disney's internal messaging platform at the time.
And it's supposed to be private.
No one outside the company should have been able to see those messages.
The only way they have that Slack conversation is somehow my work computer is compromised.
So immediately I close the work computer.
Dutch came to the conclusion that he'd been hacked.
He got in touch with Disney's information security team, or InfoSec.
It responds to the company's IT emergencies.
And I say, hey, I got this thing. It sounds like an extortion message.
And they have a thing in there from Slack that they should not have access to.
Dutch says InfoSec looked into it and said his work laptop looked fine.
And that he should check his personal computer. So Dutch ran an antivirus program.
And immediately it picks up this file,
Vision LLM, in my downloads.
One says, oh, Trojan detected.
So I'm like, Vision LLM, what is that?
I can barely remember it.
Vision LLM, that AI plug-in Dutch had downloaded
so that his kids could generate images of Easter bunnies
and Roblox characters. That program had a hidden virus.
So I look it up and I find this Reddit thread where somebody's
like, this is malware.
It steals all your passwords.
If you downloaded this, change all of your passwords immediately,
like right now that somebody has your passwords.
So I let InfoSec know, I'm like, you know, I think they may be
got in through my PC.
Dutch said that Disney's InfoSec know, I'm like, you know, I think they maybe got in through my PC. Dutch said that Disney's InfoSec agreed, and they told him that a hacker had also gotten into Disney's systems,
and they were downloading massive amounts of data.
And that's where it starts setting in, like this panic.
You know, I'm still not sure, like, how they had gotten to the Disney systems though, like, system. So we're trying to work through it.
It's like, well, how could they get past the two-factor authentication?
While Dutch was on the phone with Infosec, he also had his email account open
and he noticed a spammy looking message show up in his inbox.
He deleted it.
But then he got another one right away.
And this one is exactly the same as the Discord.
So they're definitely trying to get a hold of me, you know?
And the timing is also weird.
Like, it's like, why am I getting this now
while I'm, like, here in my email?
Mm-hmm. Like, are they watching me somehow?
Yes. And I, like, kind of panic,
and I, like, hit the trash button.
And then they send a third email saying, we saw what you did.
Oh my God.
That's where things start to get bad.
You know they're watching you.
In that third email, the hacker also sent a threat.
It said, quote, respond, do what we want,
or end up on the net.
They're not just in Slack,
they're in my email.
That means they're probably in my Discord.
And I'm thinking, how?
How is this possible?
It doesn't take long for me to figure out,
maybe just a few seconds,
they're in my OnePassword.
It is the only way.
OnePassword is a password manager.
It's considered a way to protect your digital life.
And it's often recommended by security experts
as a way to make sure you don't get hacked.
The hacker was able to get into Dutch's OnePassword account
because Dutch didn't have two-factor authentication
turned on.
That's those codes that get pushed to your phone
to make sure it's really you. Getting access to his one password account was bad. Because not only did Dutch store all of his
passwords there, he also stored personal information like birth certificates and social security
numbers. Information that Dutch had been accumulating for a decade. And not only that, Dutch also used
one password for two-factor authentication codes, meaning that by accessing his one password account,
the hacker got Dutch's passwords and his two-factor codes.
It was like they had the ultimate master key to Dutch's entire digital life.
And I tell InfoSec, oh my God, I think they got my one password.
They have to have my two-factor codes.
This is the only way they could get into this stuff.
So at that point, they're like, okay, well, They have to have my two-factor codes. This is the only way they could get into this stuff.
So at that point, you know, they're like,
okay, well, you need to work on securing your personal stuff.
Once he realized this, Dutch had a lot of work to do.
So the game plan, like immediately I'm like,
how do I get them out?
And they have threatened to retaliate.
So I think, okay, I need to secure
our financial accounts first.
Secure bank accounts and all financials,
secure social media, secure medical,
secure all this like sensitive personal stuff
as fast as I could, like right now.
And do you like buy a new computer to do all this stuff?
Cause they're in your computer, right?
They're on my gaming PC, yes.
I've already determined that my wife's MacBook is fine, so I'm working on that.
I'm working on her MacBook.
So first I secure those accounts as quickly as I can.
Change the passwords and all that.
Yeah.
And we just start erasing everything.
We're reformatting computers.
I just go straight through the night.
Dutch said he got a call from Disney's InfoSec team
the next morning.
And they told him that the hacker had doxed him and his family.
Meaning they followed through on their threat
to put Dutch's information online.
All of his personal information,
his passwords, his family's birth certificates, everything,
was now available for anyone to see.
Accounts are now actively hijacked.
Like, people are getting into them, they're sabotaging them,
they're, you know, changing passwords and vandalizing accounts.
You know, my kids' Roblox accounts were hijacked and stolen,
and they changed the passwords and tried to lock us out.
And I'm just, at this point now,
not only am I trying to make my way through the list,
but I'm trying to recover things as they're being taken.
I'm trying to actively block people
who are trying to get into things.
And it's just nonstop.
Meanwhile, at his employer, Disney, they were having problems with the hacker too.
And Dutch's nightmare was about to get a lot worse.
That's next.
McDonald's new cheesy jalapeno and bacon quarter pounder with 100% Canadian beef is here.
So if you crave beefy burgers with a pretty peppery punch and pickled jalapeno peppers
pile in a perfect bunch and if you plead please if a cheesy taste came in threes with cheesy
jalapeno pepper sauce poured with ease and if smoky strips of bacon make burgers better,
you'll love our cheesy jalapeno and bacon quarter pounder.
Get this beefy, bold, bacony, melty mouthful
only at McDonald's for a limited time.
The same morning that a hacker made all of Dutch's personal information public,
they also released massive amounts of Disney data online.
Trolls of confidential information,
including things like passport numbers for cruise workers
and sales of theme park passes and streaming data.
Disney is investigating a July data leak
of its internal Slack channels.
A hacktivist group called Null Bulge has come out saying
it has leaked more than one
terabytes of information from Disney's Slack.
— That one terabyte of Disney data included more than 44 million Slack messages, 18,000
spreadsheets, and 13,000 PDFs.
And the hacker got it all through Dutch.
— Saying it gained access through a Slack user who had cookies.
Disney says it's investigating the matter.
The Wall Street Journal was the first news outlet
to report the contents of what the hacker released.
The stolen information gave a rare look
inside the inner workings of a big company.
There were discussions of ad campaigns,
studio technology, and information
about unreleased projects.
There was even revenue data
about each of Disney's streaming services,
which had never been made public before.
In a regulatory filing last summer,
Disney said it was investigating the incident,
but that it wasn't expected to have a material impact
on its operations or financial performance.
Among the things that the hacker put out there
in the data dump was also a claim that Dutch
was in on it.
And then I start getting messages from press.
The media is starting to reach out to me, you know, people are messaging me on LinkedIn
and saying, why did you hack your employer?
Because you can trust something that a hacker says on their website as they dox
that person.
DUTCH SAYS HE WAS NOT PART OF THE HACK
So a week goes by, again, I'm fending people off still. People are just actively day and
night, nonstop, trying to get into things. I'm still having panic attacks every time my phone makes a sound.
You know, like you get the notifications as people are trying to get in.
Ding ding ding ding ding ding.
Eventually, after Dutch finished changing all of his passwords,
things started to calm down, and he tried to get back to his job.
And I'm like, okay, maybe I should see if I can
start doing a little bit of work again.
And I get this call, and it's from a Disney area code.
So I pick it up, and they introduce themselves
from Disney HR, and they're like,
how are you doing, Dutch? And I go, well,
you know, I'm surviving. And they go, well, the reason we called, you know, is during
the investigation of your computer, we discovered that you had accessed pornographic content.
And I'm like, I'm completely at a loss.
I'm thinking, well, they, I guess they must have called the wrong person.
And I'm like, no, I'm the one that was hacked.
And I go, well, we determined that this has nothing
to do with that.
And I'm like, well, it's, but that's not true.
And they go, well, because you access pornographic content on a company computer, you're being terminated effective immediately.
I don't remember much after that.
Dutch denies ever viewing pornography on his work computer. In a statement, a Disney spokesperson
said his denial is, quote, firmly refuted by the company's review of his company-issued device.
After you found out that you had been fired, like, what were you feeling?
Felt like my life was over. Everything I had built, everything I had worked for, my relationships, projects,
reputation. It's all gone. I thought I was going to retire there.
You know, I never thought when I started working there that I would work for a big company.
But Disney is one of the few companies
I actually felt kind of good about.
DUTCH SAID LOSING HIS JOB
FELT WORSE THAN GETTING HACKED AND DOXED.
You know, this whole week, I had been surviving
on the support of all these people at Disney.
Calling me, checking in, reaching out, making sure I'm okay, saying, look,
this could happen to anybody.
Don't beat yourself up over it.
It's not your fault, you know?
And then this.
Up until that point, did it feel like they had your back?
It did.
I thought they did.
I thought they supported me.
I thought they were going to protect me and my support network is gone again.
You know, that's I've been there for a long time.
You spend more time with those people than you do with your own family.
Your coworkers, yeah.
Yes.
I considered many of them genuine friends.
Dutch ended up finding another tech job in December, and he says he's been in touch with
the FBI about the hack.
Still, he felt burned by Disney.
It's like my identity was tied up there, and it was just taken away, you know?
I don't know, it just feels like I'm in my 40s, you know?
I'm not getting any younger, but my career has been thrown way, way, way back.
And there's no catching up.
There's no getting it back.
So he decided to sue.
In February, he filed a wrongful termination lawsuit against Disney, alleging slander and whistleblower retaliation
for speaking out against the company's cybersecurity standards.
Disney did not comment on the lawsuit.
I always thought that I had a good security posture.
Obviously, little oversights are all it takes.
Obviously, little oversights are all it takes.
You know, I want to say hackers are getting sophisticated, but it's not even a matter of sophistication.
It's just they can throw very wide nets,
very unsophisticated wide nets,
and just have patience.
I didn't think about this computer being anything other than a toy.
I always figured, if you get some malware on there, you know, reformat Windows.
Just maybe lose some games, reinstall them.
You know, what's the worst that could possibly happen on there? That's all for today, Monday, March 17th.
The Journal is a co-production of Spotify and The Wall Street Journal.
Additional reporting in this episode by Bob McMillan, Sarah Krauss, and Robbie Whelan.
Thanks for listening.
See you tomorrow.