Ryan K. is a 25-year-old computer hacker who lives in California.
In 2024, Ryan targeted Disney and hacked into their computer systems and leaked data under the guise of a hacktivist collective.
He started the hack by targeting a single Disney employee.
Ryan did this by communicating with the Disney employee online and convincing him to download a fake AI tool.
The hacking code was disguised as a tool for creating AI-generated art.
But in reality, it deployed malware that gave Ryan access to the victim’s device.
The employee stored his credentials on the computer and Ryan was able to access the employee’s Slack account.
Slack is a communication software used by many companies that allows employees to easily communicate with each other.
Once Ryan accessed the Slack account, he was able to steal data from thousands of Slack channels operated by Disney.
He stole 1.1 TB of data from Disney’s internal Slack channels, including messages, information on unreleased projects, login credentials, and source code.
Once he had the compromised data, he then tried to extort the Disney employee.
When the employee didn’t respond to the extortion attempts Ryan released the stolen Disney data online.
Ryan was eventually caught by law enforcement. He claimed that he was part of a hacktivist group based in Russia.
He ended up pleading guilty to accessing a computer and obtaining information and threatening to damage a protected computer.
After the hack, Disney no longer uses Slack for in-house communication.
The employee who downloaded the fake software that enabled the hacking was fired.
Hackers have recently claimed to have stolen data from big companies such as Adidas, Cisco, and Disney.
And the way they carried out every attack involved tricking employees.
It’s estimated that more than 80% of hacking involves some form of social engineering that tricks employees into providing information.
Sadly, these types of attacks are common.
Even the biggest and most secure companies can fall victim because of the human element involved.
So here are a few ways you can protect yourself from a social engineering hacker who could compromise your data and cost you your job.
Slow down:
Most of us have a million things to do on our computers when we get to the office in the morning.
But, instead of rushing through emails, take things slowly.
Hackers thrive on urgency and fear.
They will say things like, “Your account will be locked in five minutes.”
Or “Your boss needs this file immediately.”
Pause before responding to emails that have such urgency.
Also, verify the data request through another channel such as calling the person who allegedly sent the request.
Impersonators:
Often, hackers will impersonate a company or fellow employee.
For example, they will say they are an IT support, a delivery company, or a bank official.
No one should ever be calling or emailing and asking for passwords or private data.
If you get an unexpected phone call, even if it sounds official, you should refer the caller to the appropriate department.
For instance, if someone calls from the bank you should refer them to your finance department.
Don’t provide information if it should come from another person.
Triggers:
To convince employees to hand over sensitive information hackers use psychological triggers.
For example, they might say, “I’m the CEO of the office.”
Or “You’re in trouble unless this is done right now.”
On the other hand, they may also entice employees by saying, “You’ve won a prize.”
Additionally, hackers use phrases that play on emotions and make you want to respond.
The best way to protect yourself from hackers using social engineering is education and confirmation.
Share the most common social engineering attacks and tactics with your co-workers.
And, if someone emails you for sensitive data, always confirm the request over the phone before taking any action.
Every time you get a request for private data, think it through before responding.
