The Walt Disney Company is facing a significant class action lawsuit stemming from a massive data breach in July, in which hackers stole more than 1.1 terabytes of private customer data.
Filed on October 3 in Los Angeles Superior Court by plaintiff Scott Margel, the lawsuit accuses Disney and its subsidiary, Disney California Adventure, of failing to protect highly sensitive personal information. The breach has prompted thousands of current and former Disney customers to join the suit, holding the entertainment giant responsible for their compromised data.
The breach was carried out by the Russian hacktivist group “Nullbulge,” which infiltrated Disney’s Slack communications network. Through this access, the hackers reportedly obtained a wide range of sensitive information, including customer data from Disney’s theme parks and Disney Cruise Line, as well as passport details and other personal information from crew members.
Along with this personal data, hackers accessed internal business communications, revenue figures for Disney’s streaming services (Disney+, ESPN+, and Hulu), and confidential studio and marketing information.
In response to the breach, Disney initially stated it was investigating the situation, but many customers claim the company has been less than transparent about the full extent of the attack. The lawsuit points to Disney’s failure to inform affected customers adequately, leaving many in the dark about exactly which of their personal data was compromised.
The complaint states that as of today, customers “remain…in the dark” about the specifics of the breach, including the methods used by the hackers and the steps Disney is taking to secure their data.
In addition to seeking financial damages, plaintiff Scott Margel is calling for Disney to overhaul its cybersecurity measures and provide class action members with information on how their personal data was impacted.
The lawsuit highlights a growing concern over how major corporations handle sensitive customer information in the wake of sophisticated cyberattacks.
With the breach involving both personal and corporate data, the fallout for Disney could be significant, both in terms of legal liability and public trust. Disney’s handling of the breach and the resulting lawsuit will likely be closely watched by both its customer base and the broader business community.