Michael Scheuer, a former Disney World employee, has admitted to hacking the company’s menu software. This shocking case involved altering allergen information on restaurant menus, which could have led to life-threatening risks for guests with severe allergies.
What Happened?
Scheuer, who worked as a menu production manager, was fired by Disney in June 2024 for misconduct. After his termination, he accessed Disney’s menu-creation system without permission between July and September.
During this time, he:
- Falsely marked food items as safe for people with allergies to peanuts, shellfish, and milk.
- Added inappropriate content, including swastikas and references to mass shootings.
- Changed QR codes on menus to redirect to a website promoting a boycott of Israel.
Impact of the Hacking
Disney reported that the hacking impacted almost all menus in its system. However, the company quickly identified the changes before the menus reached customers. Despite this, the incident caused significant disruption. Disney had to revert all menus to previous versions and adopt a manual menu approval process.
Other Cybercrimes
In addition to menu hacking, Scheuer launched denial-of-service (DoS) attacks against 14 Disney employees, locking them out of their accounts. He also collected personal details about his targets, such as their addresses and phone numbers.
One night, Scheuer visited the home of an employee targeted in his attacks and left a disturbing “thumbs up” gesture on the security camera. Disney responded by relocating the employee to a hotel for safety.
Legal Consequences
Scheuer has pleaded guilty to two charges:
- Computer fraud.
- Aggravated identity theft.
He faces a minimum of 2 years in prison, with a possible sentence of up to 10 years. Additionally, he will pay restitution to Disney and other victims.
Mental Health and Responsibility
Scheuer’s lawyer stated that his client struggles with mental health issues, worsened after being fired from Disney. The lawyer confirmed that Scheuer is deeply remorseful and ready to take responsibility for his actions.
Lessons Learned
This case highlights the importance of robust cybersecurity systems and the dangers of insider threats. Disney has since stopped using the compromised software and is developing a more secure system.