CIOs Lessons From Disney’s Post-Breach Decision To Leave Slack

After assessing a summertime breach of its internal Slack channels, Disney plans to stop using the communications platform by the end of Q1 of fiscal year 2025. 

In July, hacking group NullBulge leaked 1.1 terabytes of data that it claims to have gained from Disney via Slack. Business Insider reported recently -- based on an internal Disney memo -- the entertainment giant intends to make a switch in response. The company is reportedly moving to Microsoft Teams.  

While details surrounding the root cause of breach remain sparse, incidents involving a third party are quite common and raise questions about responsibility. Was it a lack on the part of the vendor or the customer? If this type of breach continues to happen, will more companies make a decision like Disney’s and switch vendors? 

InformationWeek spoke to three cybersecurity experts about this incident and what CIOs and other enterprise leaders can learn.  

The Breach 

In a 10-Q filed with the US Securities and Exchange Commission on Aug. 7, Disney notes its “ongoing investigation of the exfiltration and unauthorized release of over a terabyte of data from one of the communication systems used by the Company.”  

NullBulge claims it was able to gain access with the help of a malicious insider at Disney, Wired reports. The group styles itself as an anti-AI hacktivist organization.   

Related:23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?

It remains unclear if the claim of a malicious insider at Disney is true. Paul Aitken, team lead, threat intelligence at managed detection and response company eSentire, urges skepticism when evaluating claims from threat actors.  

“It's much more probable that this threat actor bought info stealer logs off the dark web market and then they were able to use those logs for access into Disney,” he tells InformationWeek.  

While the exact way NullBulge gained access remains unconfirmed, Slack stands by its security measures.  

“Slack operates with the highest security standards to protect our customers. At this time, there is no evidence this issue was the result of a vulnerability inherent to Slack,” a Slack spokesperson tells InformationWeek via email.  

Disney’s Decision  

As an entertainment powerhouse, Disney’s decision to change the tool its employees use to communicate internally was bound to capture a lot of attention.  

Regardless of the root cause of a breach, any company that experiences one has decisions to make about how they will respond and move forward.  

“Following any major breach, organizations are going to be very motivated to show the improvements that they've made to their security to prevent a breach in the future and help reestablish the trust that's been lost,” says Aitken. 

Related:Examining the National Public Data Breach and Risks for Data Brokers

An organization in Disney’s position is likely to evaluate its use of a tool involved in a breach, the tool’s security controls, and its own security posture.  

“Without being in the meetings at Disney where those decisions are made, we can't say for sure whether this is optics or … security concerns,” says Aitken.  

Disney did not respond to InformationWeek’s request for comment.  

Post-Breach Strategy  

Collaboration platforms -- not just Slack -- represent rich targets for attackers. “As an attacker…that's where I want to go because if I can mine Slack or Teams or whatever … I can get a lot of information about the company,” says John Paul Cunningham, CISO of identity protection platform Silverfort.  

Companies that use these platforms need to balance their operational value and convenience with risk. “It's not about Slack versus Teams,” Cunningham argues. “Disney and just about every other company [are] just not doing enough to lock down that environment.”  

Slack has security features built into its platform. Users can leverage two-factor authentication and identity and access controls. Slack encrypts data, both while it is at rest and in transit. Its audit logs API allows users to detect suspicious activity. But data security is a shared responsibility, Ravi Srinivasan, CEO of Votiro, a zero-trust data detection and response company, points out. 

Related:Sensitive Data of Millions Stolen in MSpy Breach

“Organizations, in my opinion, will need to take a closer look at how these platforms are going to be used. What kind of data is going to be shared?” he asks. “Then [put] appropriate controls in place for data security, data retention, data residency.”  

The supply chain continues to grow more complex. Enterprises rely on many different vendors to operate, which means they entrust those vendors with their data. Will ongoing breaches result in that trust being damaged enough that more enterprises will contemplate changing vendors? 

“Some organizations are going to switch while others are going to stay the course,” says Aitken. “The right solution needs to be evaluated and based on individual use cases and requirements. So, rapid changing between products, probably not a wise decision, but that continued evaluation and switching based on your requirements is very legitimate.”  

Regardless of the decision to stay or go, enterprise leaders need to consider their organizations’ internal policies for using any tool that handles sensitive data.  

“Changing vendors without changing how you're using the tool and the controls around the tool aren't going to make the problem any better,” says Cunningham.