Disney’s Dual Cyber Incidents: What They Reveal About SaaS and Identity Security

In 2024, Disney, a global leader in entertainment, faced not one but two alarming cybersecurity breaches. One was orchestrated by a disgruntled former employee. The other was executed by a malicious actor who tricked staff into installing an AI tool designed to exfiltrate data. On the surface, these attacks were unrelated. However, they share a deeper connection: both exploited identity, access, and SaaS security blind spots that many enterprises struggle with.
Let’s break down what happened, and more importantly, what these incidents reveal about modern security posture in a SaaS-first world.
Breach #1: A Former Employee’s Revenge Campaign
Michael Scheuer, a former Disney World menu manager, was fired in mid-2024 for misconduct. In retaliation, he launched a series of attacks on the company’s internal menu management system. What made this attack particularly dangerous was the nature of the changes:
- He relabelled peanut-containing items as “peanut-free,” putting customers with allergies at serious risk.
- He redirected QR code menus to external websites with political content.
- He changed fonts to unreadable symbols and altered wine labels to references of mass shooting sites.
- He targeted employees with denial-of-service attacks and created a “dox folder” with their personal information.
This wasn’t a highly technical breach. Scheuer simply retained access to systems he should have been locked out of post-termination. The attack caused serious operational disruption and brand damage, and he was later sentenced to prison.
The root issue? Identity lifecycle management. The organization failed to revoke privileged access immediately after termination: a basic but often overlooked step in user offboarding.
Breach #2: A Malicious AI Tool with 1.1 TB Fallout
Around the same time, a second, completely unrelated incident unfolded. Ryan Mitchell Kramer, who operated under the alias “NullBulge,” developed a malicious AI image generation tool and shared it publicly. When an unsuspecting Disney employee installed it, the software granted Kramer access to Disney’s internal systems, including Slack channels.
From there, Kramer stole over 1.1 terabytes of internal data, including:
- Source code
- Internal documentation
- Employee communications
- Personally identifiable information
He released this data publicly and was later charged by federal authorities.
This incident is a classic case of third-party risk meets SaaS sprawl. The attacker didn’t break through hardened perimeter defenses—he got in through an app. And once inside, the lack of granular SaaS visibility allowed him to move laterally and collect sensitive data without detection.
Two Attacks, Shared Lessons
Though different in origin—one insider, one external—both breaches exploited common weaknesses. Here’s what they show us:
- Access Control Is Still Broken: The ex-employee’s access should have been disabled immediately. And the external malicious app should never have had access to so much internal data. These are both failures of role-based access control and permission hygiene.
- SaaS Apps Are the New Entry Points: Slack, menu systems, and custom internal tools—these aren’t traditional attack surfaces, but they are now prime targets. SaaS apps hold critical business data but often lack the visibility and control organizations apply to infrastructure.
- Identity = the New Perimeter: In both breaches, identity was the main vector. Whether it was an ex-employee or a poisoned application impersonating a user, weak identity governance enabled the damage. Once inside, neither actor faced meaningful friction.
- There’s No Substitute for Real-Time Monitoring: These breaches weren’t detected immediately. In the SaaS era, relying on periodic audits or siloed logs doesn’t cut it. Continuous monitoring and behavioral baselining across cloud apps are essential for catching unusual access and data movement early.
How Enterprises Can Respond
To avoid becoming the next headline, CISOs and security teams need to rethink how they secure users, apps, and data—especially in a cloud-first setup.
Here are five actions to prioritize:
- Tighten Identity Governance – Revisit your joiner-mover-leaver process. Automate deprovisioning, enforce least privilege, and audit entitlements regularly. Terminated employees shouldn’t have access even for an hour, let alone days.
- Map and Monitor SaaS Access – Do you know how many SaaS apps your teams use? Who has access to what? What data can those apps touch? A SaaS Security Posture Management (SSPM) solution can help map and monitor this sprawling environment in real time.
- Scrutinize Third-Party Tools – From browser extensions to GitHub packages, employees install tools constantly. Implement a process for vetting and sandboxing third-party applications, and monitor unusual data flows tied to these apps.
- Implement Zero Trust Principles – Assume breach and validate everything. That means enforcing MFA everywhere, monitoring and removing excessive privileges, and limiting lateral movement across apps.
- Establish Data Exfiltration Alerts – Track not just login attempts but actual data activity—downloads, copies, file sharing. SaaS apps often lack built-in controls, so layering on a security solution that monitors data movement is critical.
Closing Thoughts
Disney’s two separate incidents weren’t the result of nation-state attackers or novel vulnerabilities. They were enabled by poor access governance, SaaS misconfigurations, and low visibility into identity activity.
In 2025, these aren’t new risks. They are known problems that continue to be deprioritized in favor of bigger, flashier security investments. But the truth is simple: your SaaS stack and identity layer are your new perimeter. Overlook them, and you are handing attackers a blank check.
Secure your SaaS before you face a major breach. CheckRed gives you complete visibility into your cloud and SaaS stack—from risky third-party apps to misconfigured SaaS permissions and abnormal user behavior. Interested in knowing more? Get in touch with us!