A disgruntled former Disney employee is facing charges that he hacked into the company’s restaurant menu systems and wreaked havoc on its digital displays that could have potentially put lives at risk.
Michael Scheuer left his role as a menu production manager at Walt Disney World in June, and is accused of abusing his knowledge of work passwords to log into the menu creation system used by Disney restaurants in Florida.
According to the criminal complaint against him, Scheuer’s firing from Disney was contentious and not considered to be amicable.
Despite this, login credentials were not changed upon Scheuer’s departure from the organisation.
Disney discovered some time later that it had suffered a security breach, and uncovered that several changes had been made to its menu creation software. These included the changing of all fonts in the app to the Windings symbols font which made all of the menus unusable, the redirection of QR codes to a website calling for a boycott of Israel, and the potentially dangerous removal of allergy information.
As a consequence, Menu Creator was unusable for 1-2 weeks and manual processes had to be introduced by Disney to create menus for its restaurants.
A deeper investigation unearthed that on July 3 2024 someone using the Mullvad VPN had used a Menu Creator administrator account to create a new user account in the fictitious name of “Emily P Beaman.”
Beginning August 29 2024, 14 Disney employees found themselves blocked from accessing their accounts by a denial-of-service attack which used an automated script to attempt 100,000 logins – causing the accounts to lockdown.
According to the authorities, most of the individuals targeted by the denial-of-service attack had had some type of interaction with Scheuer or were considered to be upper-management at Disney.
According to the charges against Scheuer, at approximately 12:41pm on September 23, 2024 FBI agents executed a search warrant at Scheuer’s home and made contact with him at his front door at 12:48pm.
The denial-of-service attack against Disney employees ceased approximately two minutes earlier, just before Scheuer spoke to the agents.
The FBI searched Scheuer’s home for evidence, while Scheuer explained that Disney was attempting to frame him. He told officers that he was unable to confirm if he had accessed Disney’s corporate systems after his employment was terminated, as he may have needed to access its network to obtain his pay details and other financial data.
The FBI examined computers seized from Scheuer’s home and discovered that they had had the Mullvad VPN installed upon them – the same VPN that had been used to hack Disney. Coincidentally, or perhaps not, Scheuer had used the same VPN to access his company email from home since at least October 2023.
On one of the computers, agents found a folder on the desktop labelled “dox” which contained five files containing the personally identifiable information of four individuals targeted in the denial-of-service attacks.
Shortly after being informed by the FBI that a search warrant had been issued for his Google account, an individual believed to be Scheuer was seen parked outside the home of one of the denial-of-service victims. The person was caught giving a thumbs-up to the victim’s Ring video doorbell after examining a package on their doorstep.
A later analysis of cellphone data pinpointed that Scheuer had been present in the victim’s neighbourhood at the time the doorbell footage was captured.
The victim in question was concerned enough about their safety to leave their residence and move into a hotel.
Fortunately all of the tampered menus were intercepted by Disney before they could be physically distributed to restaurant guests. Nonetheless, the case raises once again the concern that too many businesses leave themselves open to attack by not changing login credentials when staff leave the company.
Stringent access control policies and swift revocation of system privileges for terminated employees are a must.
Scheuer remains in federal custody awaiting his motion hearing for bond on 5 November 2024.
