Fired Disney staffer accused of hacking menu to add profanity, wingdings, removes allergen info

If you're gonna come at the mouse, you need to be better at hiding your tracks

by · The Register

A disgruntled ex-Disney employee has been arrested and charged with hacking his former employer's systems to alter restaurant menus with potentially deadly consequences. 

Michael Scheuer was charged [PDF] and arrested last week for allegedly violating the Computer Fraud and Abuse Act on three occasions by breaking into a former employer's systems. Disney is not named in the complaint, but The Register has been told they are the company in question, and Scheuer's former employer. 

Fired from his role at Disney as a menu production manager in June for what the complaint notes was unspecified "misconduct," the dismissal "was contentious and was not considered to be amicable," according to court documents signed by US magistrate judge Daniel Irick in what appears to be crayon (see page 25 of this PDF). 

Scheuer allegedly went into action quickly following his termination, and by early July was said to have used his work credentials, which still functioned after his termination, to access the menu creation system Disney contracted another company to create and change all the fonts in the system to wingdings symbols. 

"The fonts were renamed by the threat actor to maintain the name of the original font, but the actual characters appeared as symbols," the complaint alleged. 

"When launched, Menu Creator reached out to the configuration files to retrieve what it believed to be the correct font, instead, it retrieved the altered font files," the document continued. "As a result of this change, all of the menus within the database were unusable because the font changes propagated throughout the database." 

According to the complaint, the changes knocked the system offline for a couple of weeks, requiring backup restoration to fix. 

In addition to the font changes, Scheuer also allegedly used his credentials to download menus waiting to be printed and altered them to redirect menu QR codes to a website urging visitors to boycott Israel over its invasion of Gaza. 

Most critically, however, Scheuer is also accused of having downloaded menus and altered them to eliminate allergen information, suggesting foods were safe when they weren't. As the complaint notes, this could have deadly consequences - something Disney is already familiar with

"It is believed these menus were identified and isolated by [Disney] prior to being shipped out to restaurants and were not distributed further," the complaint noted. The same thing happened with menus containing the altered QR codes. 

Scheuer was also accused of being behind several denial of service attacks on a number of Disney employees he had allegedly had prior contact with by developing a script to hammer account login pages with incorrect login attempts. 

Multiple VPNs

A search of his home and computers suggests he tried to use the Mullvad VPN to hide his tracks, but IP records were able to identify his likely use of the app to commit his intrusions - including the fact that similar Mullvad-linked IP addresses had been utilized by Scheuer while employed at Disney to access his work accounts. Multiple virtual machines were also found on Scheuer's computer that contained evidence they were used in the attack. 

Most critically, the complaint claims, personal information on several of the Disney employees targeted for DoS attacks were found in a folder on the desktop of one of Scheuer's VMs labeled "dox," as well as PII belonging to one of the employee's relatives. 

According to the complaint, Scheuer also showed up on the porch of one of the DoS victims' homes shortly after being told by the FBI that a search warrant had been issued for his Google account.

All said, the FBI believes its investigation makes it clear Scheuer is the culprit, and has charged him with two violations of the CFAA "specifically that he knowingly and without authorization caused the transmission of a program, information, code, or command to intentionally cause damage to a protected computer and caused loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value," the FBI agent attesting the case concluded. 

It's not immediately clear how long Scheuer could face in prison if convicted, but it could be up to 15 years based on sentencing guidelines. 

Scheuer remains in jail pending a bond hearing, a date for which hasn't been set. Disney did not respond to questions for this story. ®

Disney kicks Slack to the curb, looks to Microsoft Teams for a happily ever afterDefinitely not punishment for someone leaking internal dataRichard Speed, 20 Sep 2024Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evilIf it can happen to folks that run social engineering defence training, what hope for the rest of us?Laura Dobberstein, 24 Jul 2024Wells Fargo fires employees accused of faking keyboard activity to pretend to workHomer Simpson was ahead of his timeMatthew Connatser, 13 Jun 2024Cloud engineer wreaks havoc on bank network after getting firedNow he's got two years behind bars to think about his bad choicesJessica Lyons Hardcastle, 12 Dec 2023