Shared Responsibility: What AI Art, Salesforce Malware, and Disney Have in Common

When Disney—one of the world’s most recognizable brands—falls victim to a cyber-attack, we all need to pay attention. The recent hack that exposed 1.1 terabytes of Disney’s confidential data wasn’t carried out through some sophisticated zero-day exploit or nation-state level attack.

It was executed using a simple but devastating social engineering tactic: a fake AI art generation tool that contained malware. And it all began with a single employee’s personal computer. This incident highlights a truth EzProtect data security experts have been emphasizing for years: while security is a shared responsibility, your internal users can be your organization’s greatest vulnerability.

Read on to learn how you can prevent your organization from becoming tomorrow’s headline with actionable steps to secure your Salesforce environment.  

The Disney Hack: A Case Study in Modern Threats 

In early 2024, Ryan Mitchell Kramer, a 25-year-old from California, uploaded a malicious program to GitHub and other public repositories. This program was disguised as an AI art generation tool—capitalizing on the current generative AI craze to appear legitimate and enticing. A Disney employee downloaded this program between April and May 2024, unknowingly installing malware that stole their stored login credentials for both personal and work accounts. 

Using these stolen credentials, Kramer accessed Disney’s internal Slack workspace and exfiltrated approximately 1.1 terabytes of sensitive data from nearly 10,000 channels. The stolen information included: 

• Revenue figures for Disney+ and ESPN+ 
• Personal information of current and prospective employees 
• Login credentials for cloud infrastructure 
• Unreleased media projects 
• Internal code and API links 

Following the breach, Kramer attempted to extort Disney and the employee, threatening to release the stolen data while posing as a fictional Russian hacktivist group called “NullBulge.” When his demands weren’t met, he publicly released the stolen files in July 2024, causing Disney to eventually abandon Slack entirely. 

This incident represents the first public virus-related attack involving Salesforce property, demonstrating that even tech giants with robust security infrastructure aren’t immune to these threats.

Your Internal Users: The Human Element of Security 

The Disney breach exemplifies a crucial statistic: 74% of all breaches involve human elements, whether through error, privilege misuse, stolen credentials, or social engineering.  

This shouldn’t surprise us—humans are naturally curious, helpful, and sometimes careless, making them perfect targets for sophisticated social engineering. 

Consider these sobering statistics: 

• Non-malicious insiders account for 75% of incidents, usually due to negligence or being exploited by external attackers 
• Insider-led cyber incidents cost organizations an average of $16.2 million annually 
• Insider-led incidents take an average of 85 days to contain 

The Disney breach began with a single employee downloading what they believed was a harmless AI art tool on their personal computer. This highlights a critical vulnerability in our increasingly blended work-from-home environments: the boundary between personal and work devices has become dangerously blurred. 

Understanding the Salesforce Shared Responsibility Model 

Many organizations mistakenly believe that by moving to cloud platforms like Salesforce, they’ve transferred all security responsibilities to the provider. This dangerous misconception leaves companies vulnerable to precisely the kind of attack that affected Disney. The Salesforce shared responsibility model clearly delineates security duties: 

Salesforce’s responsibilities: 

• Securing infrastructure and platform 
• Managing firewall rules 
• Enforcing data isolation per tenant 
• Running proactive code scans and penetration tests 
• Ensuring compliance with industry standards 
• Providing secure communication protocols 

Customer responsibilities: 

• Restricting application-level access controls 
• Enforcing two-factor authentication 
• Assigning proper roles and permissions 
• Monitoring audit logs 
• Ensuring secure implementation of custom code 
• Securing third-party integrations 
• Deploying anti-abuse and fraud prevention measures 

Here’s a critical fact many Salesforce customers don’t realize: Salesforce doesn’t scan uploaded files or static resources for viruses and malware. And without a virus scanning solution, this could lead your company to a potential vulnerability similar to what led to the Disney breach. 

Practical Steps for Securing Your Salesforce Org

Considering the Disney incident and the shared responsibility model, here are concrete actions you can take to better secure your Salesforce environment: 

1. Implement the Principle of Least Privilege 

The principle of least privilege means giving users only the permissions essential to perform their specific job functions. Here’s how to apply this: 

• For Sales Representatives: Review what Account information they truly need to edit. Not every sales rep needs to modify territory-defining fields. 
• For Integration Users: Start with zero access and add only what’s necessary, rather than granting “System Admin” privileges for convenience. 
• For Admin Users: Distinguish between “admin-as-usual” activities and more sensitive “project” or “deployment” activities. Create different profiles accordingly. 

2. Audit and Control Powerful Permissions 

Begin by cloning your System Admin profile and removing unnecessarily powerful permissions, such as: 

• “Modify All” (allows viewing and editing all data) 
• “Manage Users” (can change access levels, including their own) 
• “Customize Application” (can make potentially destabilizing changes) 

3. Restrict Data Export Capabilities 

Several permissions allow data to be exported from Salesforce: 

• Export Reports 
• Email Reports 
• Data Export 
• View All (on any object) 

Work with your business owners and InfoSec team to determine who genuinely needs these capabilities. In most cases, only a small subset of users should have these permissions. 

4. Monitor User Activity and Enforce Strong Authentication 

Implement comprehensive auditing to track who is accessing sensitive data and when. Additionally: 

• Enforce multi-factor authentication for all users 
• Regularly review login history for unusual patterns 
• Set up alerts for suspicious activities 

5. Scan All File Uploads for Malware 

Remember: Salesforce doesn’t scan uploaded files or static resources for viruses and malware. Implement a third-party solution to scan all files before they’re uploaded to your org. 

6. Implement a Comprehensive Backup Solution 

At EzProtect, we believe data loss or corruption is a matter of “when,” not “if.” A proper backup solution should: 

• Align with your recovery objectives 
• Represent true data independence 
• Back up both metadata and data 
• Offer comprehensive restore capabilities 

Remember that simply exporting data isn’t sufficient. If you cannot recover from your export, it’s not a backup. 

7. Train and Test Your Team 

Security awareness training is essential, but don’t stop there: 

• Conduct regular phishing simulations 
• Test user responses to suspicious download requests 
• Create clear procedures for reporting security concerns 
• Foster a culture where security is everyone’s responsibility 

The Rising Cost of Complacency 

The consequences of security breaches continue to escalate. The Disney incident resulted in not only massive data exposure but also operational disruption, as the company was forced to abandon its Slack implementation entirely. 

Consider these costs: 

• Dealing with a malicious insider attack costs an average of $4.99 million 
• 12% of employees take sensitive information before leaving an organization 
• At more than 64% of financial service companies, 1,000+ sensitive files are accessible to all employees 

These statistics highlight a fundamental truth: the most sophisticated security infrastructure can be undermined by poor internal controls and human behavior. 

Calculate Your Data Breach Risk Cost 

There are two types of companies: those that have experienced a cyber-attack and those that will. Cyberattacks aren’t just a security threat—they threaten client trust, incur substantial legal fees, and damage company reputation. While headlines focus on tech giants like Disney, the stark reality is that organizations of all sizes face average losses of $4.88 million per data breach—a 10% increase over last year and the highest total ever. 

The financial impact extends across three critical areas: 

• Direct Financial Loss: Each stolen record costs an average of $164 according to IBM’s research. With cybercriminals stealing 168 records per second and breaches taking 206 days to detect, a typical organization loses 1.2 million records per incident. System downtime adds $336,000 per hour in losses. 
• Customer Trust Loss: Organizations typically lose 7-50% of their customer base following a breach. For a company with 5,000 customers, that’s at least 350 clients immediately lost, with acquisition costs averaging $175 per new customer to rebuild. 
• Legal Costs: GDPR violations can result in fines up to 4% of annual revenue. Legal defense costs accumulate at roughly $1,000 per hour during breach response, with regulated industries facing average legal costs of $2.3 million. 

Industry averages tell only part of the story. Your organization’s specific risk profile requires immediate quantification.  
 
Use our confidential EzProtect Cyberattack Cost Calculator to generate a customized financial impact report based on your unique data, customer base, and industry. Once completed, you’ll be equipped to present a compelling business case for cybersecurity investments to your board and executive teams. 

Protecting Your Most Valuable Asset: Your Data 

The Disney hack through a malware-laced AI art tool is a stark reminder that threats evolve constantly, often exploiting our curiosity about new technologies. As your organization adopts innovative tools—whether AI-powered applications, third-party integrations, or custom solutions—each introduces new potential attack vectors. 

Within Salesforce specifically, custom code, AppExchange applications, and connected external systems all expand your vulnerability surface. Without proper governance and security protocols, any of these could become your organization’s downfall. 

Protect Your Salesforce Environment Today 

The Disney breach should serve as a wake-up call for every organization using Salesforce and other cloud platforms. The shared responsibility model means that while Salesforce provides a secure platform, the security of your data ultimately rests in your hands. 

At EzProtect, we specialize in helping companies understand and address their Salesforce security vulnerabilities before they become costly breaches. Our team of certified experts has helped hundreds of organizations implement the security measures outlined above and more. 

Get Your Salesforce Security Assessment 

Contact our EzProtect team today for a free security assessment that bridges the critical gaps in the shared responsibility model—including comprehensive scanning of files and static resources that Salesforce doesn’t provide. Our expert team will deliver a customized 3-step action plan to strengthen your security posture and prevent your organization from becoming tomorrow’s headline. 

---

---