A Disney employee hacked the menu after being fired in a revenge plot

Michael Scheuer, a former menu production manager at Disney, has been accused of orchestrating a complex series of cyberattacks against his former employer between June and September 2024.

According to FBI affidavit according to the criminal complaint, Scheuer’s alleged cyber retaliation began shortly after his controversial termination on June 13, 2024. Using his deep knowledge of Disney systems, Scheuer allegedly launched a multi-pronged attack targeting the company’s own menu creation system, secure file transfer servers and employee accounts.

Broken menus

The allegations center on Scheuer’s manipulation of the company’s proprietary menu creation system and Secure File Transfer Protocol, or SFTP, servers. According to an FBI affidavit, Scheuer allegedly:

• Infiltrated the company’s “Menu Creator” system, rendering it inoperable by replacing all fonts with symbols, also known as wingdings. According to the affidavit, “all fonts in the app were replaced with fonts that depicted symbols, also known as wingdings.” This attack was so severe that it “caused the Menu Creator system to crash while all menus had their fonts changed.”
• Accessed secure file transfer servers to download legitimate menus, modify them, and re-upload them to the print queue. Most alarmingly, it allegedly added false information to the allergen notices, stating that “some menu items are safe for people with peanut allergies, although they can be fatal.”
• Manipulated QR codes on digital menu boards, redirecting customers to an unrelated website (boycottisrael.org) instead of the intended digital menu.

The font changes alone forced the company to shut down the Menu Creator system for 1-2 weeks, reverting to manual processes. Of greatest concern, however, was the change in allergen information, which could have potentially fatal consequences for customers with severe allergies.

The company’s internal investigation revealed that on July 3, 2024, an alleged attacker created a fake user account under the name “Emily P. Beaman” to gain unauthorized access to the Menu Creator system. The following day, this account was used to modify font files, rendering all menus unusable.

In a separate intrusion, Scheuer allegedly gained access to the company’s SFTP servers, which act as print queues for production-ready products. He downloaded the approved menus, modified them locally, and then re-uploaded them to the servers. These changed menus included dangerous changes to allergen information.

In addition to the menu hack, Scheuer allegedly launched denial-of-service attacks against the accounts of approximately 14 company employees. The affidavit states that “the attacker has developed a script to perform automated login attempts, and as of the date of this affidavit, the attacker has made over 100,000 login attempts to victims’ accounts.”

Additionally, after receiving a search warrant notification on his Google account, Scheuer was caught on a Ring doorbell camera visiting the residence of one of his alleged victims late at night. The affidavit states: “SCHEUIER then leans down and reads the label of the package that was on the doorstep. After reading the tag, SCHUER gives the Ring camera a thumbs up, steps off the porch, and walks back to the car.”

This was confirmed by Scheuer’s lawyer, David Haas New York Post that his client was a Disney employee and that a detention hearing was scheduled for Election Day. Haas commented, “The indictment acknowledges that no one was hurt or injured. I look forward to vigorously presenting my client’s side of the story,” and that Scheuer had “a mental disability that caused him to have panic attacks while he was at work.”

Revenge hacks on the rise

In cases like the alleged Disney incident involving Scheuer, “revenge” hacking attacks by former employees are a real and growing cybersecurity problem.

These types of insider threats are usually classified as “disgruntled insider” attacks, where former employees motivated by feelings of resentment or revenge use their previous access to harm the company.

This trend is of particular concern because disgruntled insiders can use their knowledge of internal systems to carry out targeted disruptions. Research shows that nearly a quarter of insider threat cases involve some form of “malicious intent,” including sabotage, data theft, and fraud.

2024 year Securonix report highlights that companies increasingly face insiders abusing access to retaliate, with motives ranging from disagreements with management to perceptions of unfair termination.

These incidents often result in direct harm, such as data leaks, service disruptions, and financial losses, as well as indirect consequences, including reputational damage and customer trust issues.

What to do? Termination and insider threats

When employees are terminated, especially in contentious situations, companies must take reasonable steps to ensure that they no longer have access to sensitive systems.

Immediate revocation of access

Once an employee is terminated, all digital and physical access credentials must be revoked. This includes login credentials, VPN access, building access, and any other means by which the former employee may have gained access to systems or physical facilities. In cases like this Disney incident, a quick termination of access could have prevented a situation where a former employee retained the ability to allegedly access confidential platforms after termination.

In these situations, it’s a good idea to schedule a joint review between HR and IT prior to termination to ensure that each access point is identified and deactivated. This process helps avoid oversights, especially for employees who have held positions that give them access to multiple platforms.

Conduct a post-termination security audit

A thorough security audit after an employee leaves is important, especially for positions that involve access to sensitive data or administrative systems. In addition to ensuring that permissions are completely removed, this audit verifies that there are no unauthorized paths left, such as saved passwords or login credentials stored on shared devices. In cases where employees have access to sensitive areas, such as Disney’s menu systems, the checks help eliminate potential entry points for unauthorized activity.

For example, after an initial access termination, reviewing the logs and activity for all systems the individual had access to in the 90 days prior to termination for unusual patterns or unclear permissions that may need attention can prevent missing areas that may have been used by former employees.

Improved post-shipment monitoring of high-risk systems

Systems monitoring unusual activity in the weeks following an outage can alert security teams to unauthorized access attempts. This is especially important for employees who may have had administrative access, allowing them to modify systems or databases. Implementing real-time alerts and activity logging can be an important line of defense.

This would look like setting up enhanced monitoring on all systems the former employee had access to for 30-90 days, supporting real-time alerts on login attempts, file changes and unusual access times, so unauthorized access attempts are detected early.

Insider threats after termination

Organizations face real challenges both outside and inside the gates. The allegations are a reminder that organizations need comprehensive onboarding procedures as part of their insider threat prevention efforts.

Revoking access, conducting background checks and monitoring activities are the main methods that can significantly reduce the risks associated with ex-employees.

By taking these precautions, businesses can better protect their operations, reputation, and customer safety, while minimizing the possibility of retaliation from disgruntled former employees.

I’ve reached out to Disney for comment, but they have yet to hear back.