Walt Disney Co. has been hit with a class action lawsuit accusing the Burbank-based entertainment giant of negligence, breach of implied contract and other misconduct in connection with a massive data breach that occurred earlier this year.
Plaintiff Scott Margel submitted the complaint on Thursday in Los Angeles County Superior Court against Disney and Disney California Adventure. The 32-page document also accuses the company of violating the customer records act and the confidentiality of medical information act by not doing enough to prevent or notify victims of the extent of the leak.
The class members, estimated to total in the thousands, are described in the complaint as individuals who gave “highly sensitive personal information” to Disney in connection with their employment at the company — information that was allegedly compromised in the breach.
Representatives of Disney did not immediately respond Friday to The Times’ request for comment.
The lawsuit cites an article published in September by the Wall Street Journal, which reported that a hacking group known as NullBulge publicly released data spanning more than 18,800 spreadsheets, 13,000 PDFs and 44 million internal messages sent via the workplace communication platform Slack.
According to the Journal, the compromised Slack messages contained sensitive information belonging to Disney cruise employees, including passport numbers, visa details, birthplaces and physical addresses; while at least one spreadsheet listed the names, addresses and phone numbers of some Disney Cruise Line passengers. The publication later reported that Disney planned to stop using Slack following the breach.
The plaintiff and class members “remain, even today, in the dark regarding which particular data was stolen, the particular malware used, and what steps are being taken, if any, to secure their [personal information] going forward,” the complaint reads.
The plaintiff and class members “are, thus, left to speculate as to where their [data] ended up, who has used it and for what potentially nefarious purposes.”
In July, NullBulge said that it had leaked roughly 1.2 terabytes of Disney data in rebuke of the company’s treatment of artists, “approach to AI” and “pretty blatant disregard for the consumer.” The self-proclaimed hacktivists told CNN that they were able to penetrate Disney’s system thanks to “a man with Slack access who had cookies.”
A Disney spokesperson said in a statement at the time that the company was “investigating this matter.”
Margel is demanding that Disney take steps to reinforce its security system and educate class members about the risks associated with the breach. The plaintiff is also seeking unspecified damages and a jury trial.