Fired Disney employee accused of hacking into restaurant menus and replacing them with Windings and fake peanut allergy information

A disgruntled former Disney employee is facing accusations that the company hacked restaurant menu systems and could have damaged digital displays, endangering lives.

Michael Scheuer left his job as menu production manager at Walt Disney World in June and is accused of misusing his knowledge of work passwords to log into the menu creation system used by Disney restaurants in Florida.

according to criminal complaint Scheuer’s firing from Disney was controversial and viewed as unfriendly.

Despite this, the login information did not change after Scheuer left the organization.

After some time, Disney realized that it had suffered a security breach and revealed that some changes had been made to its menu creation software. These included replacing all fonts in the app with the Windings symbols font, which made all menus unusable, redirecting QR codes to a website calling for a boycott of Israel, and potentially dangerous removal of allergy information.

As a result, Menu Creator became unusable for 1-2 weeks and Disney had to implement manual processes to create menus for its restaurants.

Further investigation revealed that on July 3, 2024, someone using Mullvad VPN created a new user account with the fictitious name “Emily P Beaman” using the Menu Builder admin account.

Beginning on August 29, 2024, 14 Disney employees found that they were blocked from accessing their accounts due to a denial of service attack that used an automated script to attempt 100,000 logins, causing the accounts to be locked.

Many of those targeted by the denial-of-service attack had some form of interaction with Scheuer or were thought to be senior executives at Disney, according to officials.

According to the charges against Scheuer, around 12:41 a.m. on Sept. 23, 2024, FBI agents executed a search warrant at Scheuer’s home and contacted him at his front door at 12:48 p.m.

The denial-of-service attack on Disney employees ended about two minutes ago, just before Scheuer spoke with representatives.

While the FBI searched Scheuer’s home for evidence, Scheuer revealed that Disney was trying to frame him. He told officers he could not confirm whether he had accessed Disney’s corporate systems after his employment was terminated because he might need to access its network to retrieve salary details and other financial data.

The FBI examined computers seized from Scheuer’s home and discovered that they had Mullvad VPN (the same VPN used to hack Disney) installed on them. Coincidentally, or perhaps not coincidentally, Scheuer had been using the same VPN to access company emails from home since at least October 2023.

On one of the computers, agents found a folder on the desktop labeled “dox” that contained five files containing personally identifiable information of four individuals targeted in the denial-of-service attacks.

Shortly after the FBI received information that a search warrant had been issued for the Google account, a person believed to be Scheuer was seen parked outside the home of one of the denial of service victims. The individual was captured giving the victim’s thumbs-up to the Ring video doorbell after inspecting the package on his doorstep.

Analysis of cell phone data later showed that Scheuer was present in the victim’s neighborhood at the time the doorbell footage was taken.

The victim in question was so concerned for his safety that he left his home and moved into a hotel.

Fortunately, all of the falsified menus were seized by Disney before they could be physically distributed to restaurant guests. However, this once again raises concerns that many businesses are leaving themselves open to attacks by not changing login details when staff leave the company.

Strict access control policies and prompt revocation of system privileges for terminated employees are a must.

Scheuer remains in federal custody pending a bail hearing on November 5, 2024.