What went wrong at Disney: The Hidden Dangers of AI Tool Adoption

I keep telling clients: just because a new AI tool is exciting, DO NOT GIVE IT ACCESS TO YOUR COMPANY DATA without proper due diligence.

In the fast-paced world of business technology, AI tools promise efficiency and innovation.

However, as a program management and AI specialist, I've witnessed a concerning trend: organizations hastily implementing AI solutions without proper security vetting.

The Allure of AI Productivity Tools

There's an undeniable appeal to tools that promise to streamline workflows, especially for those managing complex organizational structures:

• Project managers juggling multiple teams and deliverables
• Department heads coordinating cross-functional initiatives
• Leadership teams seeking competitive advantages through technology

The productivity gains can indeed be transformative. Well-implemented AI solutions can automate repetitive tasks, provide valuable insights from data, and free up human resources for more strategic work (as long as they still have the ability to think critically, which is being reduced due to AI usage).

And if you’re managing multiple people on projects, the lure is even stronger. AI promises streamlined processes, fewer manual tasks, and faster decision-making.

In fact, if you want to see the best AI tools which I recommend specifically for project managers, you can find the Linkedin article here.

But if you’re leading entire departments or have executive responsibilities, the risks scale up tenfold. The wrong AI tool in the wrong hands can lead to devastating consequences, not just for your workflows but for your entire organization’s security and reputation.

The Security Blind Spot

Despite these benefits, many organizations have a critical blind spot when it comes to AI implementation security. Consider these overlooked risks:

Data Processing Opacity

Many AI tools operate as "black boxes": users input data and receive outputs, but the intermediate processing remains unclear. This lack of transparency creates significant security and compliance vulnerabilities.

Unclear Data Storage Policies

When you upload company information to an AI tool, where does that data actually go? Is it stored on servers? For how long? Is it used to train the tool's models? These questions often go unasked and unanswered during implementation.

Unintentional Access Grants

Perhaps most concerning is the potential for AI tools to gain broader system access than intended. Many tools request permissions that extend far beyond what's necessary for their core functionality. And many employees do not realise the dangers of "logging in" with something like their google account, let alone their company account.

Malicious or Compromised AI Software

Just because a tool is popular or available on GitHub does not mean it’s safe. Cybercriminals embed malware into seemingly useful AI applications. If you or your employees download one without vetting it, your company’s security could be compromised

A Cautionary Tale: The Disney Breach in Detail

Let’s talk about a recent cybersecurity breach at 华特迪士尼公司 which perfectly illustrates these risks in alarming detail.

In February 2024, Disney engineer Matthew Van Andel (Wall Street Journal article) downloaded what appeared to be a free AI image-generation tool from GitHub. His intent was simple - to improve his workflow and create images more efficiently.

What he couldn't have known was that this tool contained sophisticated malware known as an "infostealer." The consequences were devastating.

Hackers used this malware to gain access to his password manager, Disney’s internal Slack channels, and other sensitive company systems. Over 44 million internal messages were stolen, exposing confidential employee and customer data. This information was then used for blackmail and exploitation.

For Van Andel, the breach also had severe personal ramifications:

• His credit card information and Social Security number were stolen
• Hackers accessed his home security camera system
• His children's online gaming profiles were targeted
• Following an internal investigation, Disney terminated his employment

The engineer had no intention of compromising Disney’s security. But this incident highlights a crucial reality:

If you don’t fully understand what an AI tool is doing, how it stores data, or the level of access you’re granting, you are taking a massive risk.

Organizational Response

The breach was so severe that Disney announced plans to discontinue using Slack entirely for internal communications, fundamentally changing their corporate communication infrastructure.

Van Andel only became aware of the intrusion in July 2024 when he received a Discord message from the hackers demonstrating detailed knowledge of his private conversations - by then, the damage was already extensive.

Why This Matters to Every Organization

This incident wasn't the result of malicious intent or negligence. It stemmed from a common desire: finding tools to work more efficiently. However, it demonstrates how seemingly innocent productivity improvements can create catastrophic security vulnerabilities.

Consider the implications:

• A single download compromised an entire enterprise communication system
• Personal and corporate data were both exposed
• The organizational impact necessitated abandoning a key communication platform
• An employee lost their job despite having no malicious intent

Implementing AI Tools Safely: A Framework

Rather than avoiding AI tools entirely, organizations need a structured approach to their adoption:

1. Establish a Formal AI Tool Vetting Process

Create a standardized procedure for evaluating any AI tool before implementation within a company. This should include:

• Reviewing other expert's experience with the system, especially reviews from trusted authorities
• Security assessments and code reviews for downloaded applications
• Privacy policy reviews and vendor security credential verification
• Data handling transparency requirements
• Integration risk analysis with existing systems
• An isolated test phase
• Insights from specialists (either within the organisation or specialist consultants) who understand IT and AI systems

2. Implement Least-Privilege Access Principles

When granting permissions to AI tools, provide only the minimum access required for functionality. Avoid tools that demand excessive permissions.

3. Deploy Multi-layered Security Measures

The Disney case highlights the importance of additional security layers:

• Implement robust two-factor authentication across all systems
• Use virtual machines or sandboxed environments for testing new tools
• Regularly update security training to address emerging AI-related risks

4. Educate employees and Leaders, and develop clear AI Usage Guidelines

Create and communicate organizational policies regarding which types of data can be shared with AI tools and under what circumstances.

5. Prioritize vendor reputation and transparency

Work with established vendors who provide clear documentation about their data policies and security measures. Be especially cautious with free tools from unverified sources. Instead of freely available AI tools, consider enterprise solutions with security features, compliance certifications, and dedicated support. OpenAI, Microsoft Copilot, and Google Gemini offer business-focused AI tools that prioritize security, and may integrate directly with the systems your company already uses.

Balancing Innovation and Security

The challenge for modern organizations isn't whether to adopt AI tools, but how to do so responsibly.

Program managers sit at the intersection of technology adoption and operational security, making them crucial stakeholders in this process.

By implementing thoughtful governance around AI tool adoption, organizations can harness the tremendous productivity benefits these tools offer while protecting their sensitive information and systems.

The most successful AI implementations aren't necessarily the most advanced or feature-rich. They're the ones that carefully balance innovation with security, ensuring that productivity gains don't come at the cost of organizational vulnerability.

There is a fine balance between being excited by the apparent possibilities which new AI tools can promise. Sometimes, this emotional excitement can override the logical processes where risk is properly assessed. But this is the value of having the right processes in place from the outset.

Final Thought: AI Can Be a Game-Changer, But Only If Used Wisely

When deployed correctly, AI can revolutionize how you manage projects, lead teams, and drive innovation.

But blindly trusting every AI tool without vetting it is a recipe for disaster.

The Disney employee’s story is a warning: one seemingly harmless decision can lead to massive security breaches, reputational damage, and job loss.

As AI tools continue to proliferate, the need for careful evaluation becomes even more critical. Organizations that develop robust protocols for AI adoption now will be better positioned to safely leverage these powerful technologies in the future.

For program managers and leaders looking to effectively navigate this complex landscape, start by auditing your current AI tool usage and establishing clear governance frameworks before expanding your technology portfolio further.

If you're interested in developing comprehensive strategies for safely selecting and implementing AI tools across your project management, innovation, and leadership functions, I'd be happy to discuss approaches tailored to your organization's specific needs. Connect with me Nick Skillicorn and let's talk about how I can help you