A criminal complaint filed in the Middle District of Florida alleges that a former Walt Disney World employee accessed Disney’s menu management software to manipulate menus used at the resort complex. The defendant illegally accessed the menu management software after a contentious firing back in June. Here’s what we know about the allegations.
Fired Disney Employee Criminally Alters Restaurant Menus
The criminal complaint alleges that Michael Scheuer illegally accessed Walt Disney World’s menu management software after being fired to criminally alter information on the menus. The complaint notes that some of the changes were “more benign”, such as changing prices or even adding profanity to the menus, but the complaint also says that Scheuer “manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies.”
The complaint also says that Scheuer aimed to disable certain accounts by launching denial-of-service attacks against them. The complaint outlines various attacks that were “sophisticated in nature”. The complaint uses the following chart to demonstrate the different ways that Scheuer performed various intrusions.
In the first intrusion, Scheuer modified the font files to use a font type similar to “wingdings”, which replaces letters with symbols – rendering the menu unreadable. The change was more significant than it sounds, and caused the menu creator application to become inoperable, requiring Disney to take the system offline and implement backup versions of the menu. The system was impacted for a period of 1-2 weeks.
For intrusion #2, Scheuer was able to illegally obtain access to a server to upload altered menus that contained incorrect pricing and allergen information. Scheuer added notations to menu items to indicate that the menu items were safe for consumption, which has potentially fatal consequences for guests with allergy concerns. The complaint says that Disney believes that the modified menus were identified by Disney and that they were not shipped out to restaurants or distributed further than the print queue.
The third intrusion affected larger menus that were typically on display outside of restaurants. In this attack, Scheuer changed the scannable QR codes to redirect not to Walt Disney World’s digital menus, but rather to a “miscellaneous website”. Again, Disney says that while the altered menus were printed, they were caught by Disney and not distributed.
The complaint says that Disney estimated the attacks to have caused damages of $150,000.
Other attacks outlined in the complaint included denial-of-service attacks where Scheuer allegedly created an automated script to perform more than 100,000 login attempts, causing affected accounts to be locked out due to repeated incorrect password attempts. In total, Scheuer targeted 14 other employee accounts for his DoS attacks.
While Scheuer used a Virtual Private Network program to try and mask his attempts, Disney says that he also used the VPN to log in to his company account when he worked with the company. The IP addresses that he used to log into his company account via the VPN matched the IP addresses used to carry out the attack against the company via the same VPN.
While Disney is not specifically named in the criminal complaint, instead being referred to as Company A, digital investigations website 404media confirmed that Disney was the target. Information contained within the criminal complaint also lists the Company A employee login address as the same address that Cast Members use to log in to Disney internal services.
As always, keep checking back with us here at BlogMickey.com as we continue to bring you the latest news, photos, and info from around the Disney Parks!