In February, Matthew Van Andel, a Disney employee and father of two, unknowingly downloaded an AI image generator from GitHub that turned out to be a devastating mistake. The tool, which appeared harmless, contained malware that gave hackers access to Van Andel’s personal information, including his credit cards, social security number, and workplace credentials. The consequences were disastrous, as his life was upended by a hacker known as “Nullbulge.”
Van Andel discovered the breach when the hacker contacted him via Discord, referencing private conversations from his work Slack account. The hacker’s message was chilling, and the next day, Van Andel’s credentials were used to leak massive amounts of sensitive data from Disney, including customer information and internal revenue numbers.
The hacker posted a taunting blog entry, boasting about the 1.1 terabyte data dump and claiming Van Andel had been “their inside man.” They also threatened future targets, warning of the potential consequences of insufficient cybersecurity.
Despite immediately notifying Disney’s cybersecurity team, the damage had already been done. The malware had likely gained access through Van Andel’s password manager, which lacked two-factor authentication. This oversight allowed the hacker nearly unrestricted access to his personal and professional data.
The fallout from the breach was swift: Disney fired Van Andel, citing alleged inappropriate material on his work computer—a claim he denies. The termination led to the loss of his job, a $200,000 bonus, and his family’s healthcare benefits.
As Van Andel reflects on the events, he described the violation as “impossible to convey.” This case highlights the risks of downloading third-party software and the importance of securing personal data against growing cybersecurity threats.
Malware, Computer Hacked, Virus, Cyberattack, Cybersecurity Picture by DC Studio on Freepik
