Disney Employee Hack - Example of Personal Device Data Access Risk

Memo
Written By Studio Soph
 
 

We are reaching out to inform you of a recent cybersecurity development that underscores the growing risks associated with personal devices accessing company resources. According to a recent Wall Street Journal report, a cyberattack on Disney was allegedly initiated by an employee using a malicious AI-powered tool on a personal device.  This incident underscores the evolving tactics of malicious actors and the need for heightened vigilance.

In this case the employee had access to Disney’s Slack communications from his unmanaged and unprotected personal device.  The bad actor was able to leverage the existing Slack access to gain access to Disney’s Slack communications. 

Additionally, the employee had a personal password manager without MFA that was compromised as part of the attack.  This allowed the bad actor to access the employee’s credentials to accounts kept in his password manager’s vault.

We want to reinforce the importance of strict security measures when evaluating your security policies for personal devices in your business. Here are key takeaways from this incident and our recommended actions:

Key Takeaways:

  • Personal devices – Employees with access to company resources from personal devices represent a significant cybersecurity risk and can inadvertently or intentionally create security risks.  We recommend that only managed and secured devices be allowed to access company resources, and if a personal device must be used it is only used to access a managed and secured Windows 365 Cloud PC.

  • Multi-Factor Authentication (MFA) gaps – The lack of MFA implementation leaves systems vulnerable to unauthorized access and credential-based attacks.  This is even more important when utilizing password managers.

  • Cyberattack vectors are evolving – Hackers are leveraging AI to develop more sophisticated attack strategies, increasing the need for proactive security.


Recommended Actions:

  • Review personal device usage policies: Ensure employees understand the risks associated with using unsecured personal devices and ensure your firm’s policies and infrastructure protect your data in cloud applications.

  • Ensure MFA is enabled: Implement Multi-Factor Authentication (MFA) across all systems (corporate and personal) to add an extra layer of security.

  • Implement Seraphic Browser Security: Consider Implementing Seraphic to enhance browser security to prevent unauthorized access from managed devices. 

  • Conduct employee training: Regular training sessions can help employees recognize potential threats and adhere to security best practices.

  • Monitor systems and prepare for incidents: Implement proactive monitoring and ensure your team has a well-defined incident response plan.


If you have any questions or need assistance in evaluating your personal device policies or security posture, please contact our team.


Additional Resources:

Wall Street Journal Report: https://www.wsj.com/tech/cybersecurity/disney-employee-ai-tool-hacker-cyberattack-3700c931?st=gCtqgK&reflink=article_copyURL_share

 

Best regards,

— Your HalcyonFT Team

 
 
 
 

{ HALCYONFT UPDATES }

More Insights

 
 
 
 

{ CONTACT }

Connect with us to discuss what HalcyonFT can do for you

 
 
Studio Soph https://www.studiosoph.co.uk
Next

Halcyon Financial Technology, L.P. Joins Global Elite With WealthBriefing Award