Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The “Most Magical Place on Earth” narrowly avoided becoming one of the most dangerous for peanut-allergy sufferers, according to a federal criminal complaint accusing an ex-Disney employee of abusing credentials to scrub allergen information from restaurant menus.
404 Media reported the complaint, filed in the United States District Court for the Middle District of Florida against a man named Michael Scheuer, does not directly mention Disney. However, details that are specific to the company are mentioned throughout the complaint, and Scheuer’s lawyer confirmed Disney’s involvement to 404 Media.
An FBI agent wrote in the complaint that Disney contracted a firm referred to in the document as “Company B” to create a menu-planning app—apparently, one that is used solely at Disney for purposes like inventory and menu creation.
The agent further alleged that after Disney fired Scheuer from his role as menu production manager in June 2024, Scheuer continued to use credentials that gave him access to the app. The affidavit accuses Scheuer of repeatedly manipulating prices on menus, as well as modifying them to contain profanities or use the unintelligible “Wingdings” font.
In addition to using his original Disney credentials, prosecutors wrote, Scheuer used other logins to break into the app developers’ FTP server.
“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies,” the agent wrote.
Usage of old login credentials is one of the most common access vectors, and the alleged Disney incident highlights the risks of failing to properly revoke them when employees leave a job or are fired. Dangers can run the gamut from ex-employees lurking around company Slack channels to criminal, destructive hacking attempts.
Fortunately, in this case, investigators didn’t find any evidence the menus ended up being seen by customers.
“It is believed these menus were identified and isolated by [Disney] prior to being shipped out to restaurants and were not distributed further,” the agent added.
According to the complaint, Disney employees discovered the app was compromised after the “Wingdings” incident, which also forced IT staff to take the app offline and affected its functionality for multiple weeks. Scheuer’s toolset included automated login scripts which inadvertently exceeded login attempts on (and thus locked) over a dozen employee accounts.
Disney didn’t respond to 404 Media’s request for comment. However, 404 did report the incident has nothing to do with the October 2023 death of a woman after ingesting dairy and nut content at a Disney-owned restaurant in Florida.