In a shocking turn of events, a former Disney employee stands accused of hacking into the company’s restaurant menu systems, tampering with digital displays, and potentially endangering lives. Michael Scheuer, who was recently terminated from his role as a menu production manager at Disney World, allegedly accessed the company’s systems, using his knowledge of Disney’s passwords and wreaking havoc. The incident highlights a critical issue: the need for companies to promptly change credentials upon an employee’s exit.
Ex-Employee Hacks Menus with Wingdings and False Allergy Information
After his contentious departure from Disney in June, Scheuer allegedly logged into Disney’s menu creation system. Using his retained access, he reportedly made disruptive changes, including setting all fonts to the Wingdings symbol font, which rendered the menus unreadable. Additionally, he altered allergy information, creating potentially dangerous scenarios for diners with food sensitivities. According to authorities, QR codes on menus were also redirected to a boycott website, causing further confusion.
Disney quickly discovered the breaches, realizing that their menu creation software had been tampered with. To continue operations, Disney had to revert to manual menu creation processes, which led to a major inconvenience for both the staff and the restaurant patrons.
Unauthorized Access and Account Lockouts Amid a Digital Attack
Investigators discovered that, on July 3, 2024, a user connected through Mullvad VPN accessed Disney’s system, creating a new user account under the fictitious name “Emily P Beaman.” Later, on August 29, several Disney employees were suddenly locked out of their accounts due to a denial-of-service (DoS) attack that employed a script to attempt tens of thousands of logins. The accounts were locked down, and it was noted that many of the affected individuals had past interactions with Scheuer or held upper-management roles at Disney.
As the DoS attack continued, authorities tracked the activity back to Scheuer. The attack ceased just minutes before FBI agents arrived at his home with a search warrant on September 23.
FBI Investigation Reveals VPN Link and Personal Information Files
When agents searched Scheuer’s home, they found computers with Mullvad VPN installed, which had been used in the attacks. In addition, one of the computers contained a folder labeled “dox” on its desktop, holding files with personal data of four individuals involved in the attack. Scheuer claimed that he might have accessed Disney’s system post-termination to retrieve personal data, though he denied hacking allegations and insisted Disney was framing him.
Interestingly, soon after learning that his Google account would be searched, Scheuer was reportedly seen parked outside one of his DoS targets’ homes, checking their doorstep and giving a thumbs-up to their video doorbell. The incident, combined with cellphone data that placed Scheuer in the area, was enough to alarm the victim, who chose to temporarily relocate for safety.
Disney Avoids Crisis as Menu Tampering is Discovered in Time
Fortunately, none of the tampered menus made it into the hands of restaurant guests. Disney intercepted the corrupted files, potentially averting a public relations disaster and preventing possible harm. Yet, this case underscores the importance of updating access controls and removing privileges immediately when an employee departs, particularly if the exit is contentious.
Lessons in Security: Swift Action Required When Employees Exit
The Disney hacking incident illustrates a stark reality: former employees can pose a significant security threat, especially if companies fail to revoke access promptly. The risks aren’t limited to data breaches but can extend to physical safety, as evidenced by the altered allergy information.
For companies, this incident serves as a crucial reminder that stringent access control policies and immediate action upon employee termination are essential. Routine security audits and clear protocols for access revocation can be the first line of defense against such breaches.
Scheuer Faces Federal Charges as Investigation Continues
Michael Scheuer currently remains in federal custody, with his bond motion hearing scheduled for November 5, 2024. The case is a stark reminder of the vulnerabilities companies face if they overlook former employees’ access rights. Swift, strategic action can prevent data manipulation, protect customer safety, and uphold the integrity of corporate systems.
Discover more from Open Security Labs
Subscribe to get the latest posts sent to your email.
