Fired Disney employee allegedly hacked into company system to change allergen info on menus
CNN
—
A fired Disney employee allegedly hacked into the company's servers to alter its restaurant menus, including falsifying allergen information and printing profane language, according to a federal criminal complaint filed in Florida.
The complaint, filed October 23 in the US District Court for the Middle District of Florida, does not name Disney. David Haas, a lawyer representing the suspect in the case, confirmed to CNN that Disney is the company involved in the complaint, however.
Disney identified and removed all altered menus before they were shipped to restaurants, according to the complaint.
The complaint was first reported by 404 Media and Court Watch.
Michael Scheuer, who worked as a menu production manager for Disney, was fired in June for misconduct, according to the complaint. Scheuer had access to and used secure internal servers for creating and publishing menus for all of Disney's restaurants as part of his job at the company, according to the complaint.
After being terminated, Scheuer repeatedly hacked into the company's proprietary software, which creates and distributes menus to restaurants operated by Disney, the complaint alleges, beginning a months-long cyberattack campaign against the company and its employees.
Scheuer allegedly hacked into Disney's menu creation servers multiple times to manipulate and disrupt the menus, such as changing prices and adding profane language. Scheuer then made changes to the menus that "threatened public health and safety," the complaint says, including altering allergen information to indicate certain menu items with peanuts were peanut-free, posing a fatal risk to individuals with peanut allergies.
Scheuer denied wrongdoing and said Disney was "attempting to frame him" because they were concerned about the conditions under which he was fired, the complaint alleges.
Haas, a lawyer representing Michael Scheuer, told CNN that the allegations "acknowledge that no one was injured or harmed."
Scheuer has a "mental health disability" that caused a panic attack at work, according to Haas, and Scheuer was initially suspended and then terminated. "Disney failed to respond to his inquiries about being fired, and he then filed an (Equal Employment Opportunity Commission) complaint in response," Haas said.
Disney and the US Attorney's Office for the Middle District of Florida declined to comment.
In July the company conducted an internal investigation and uncovered changes made to its menu creator system that rendered all of the menus unusable, the complaint said. Disney's menu creator system was impacted for one to two weeks, according to the complaint, and manual processes had to be used to fix the menus.
Disney employees discovered the disruption when Scheuer altered menu text fonts to become icon symbols, known as wingdings.
"This change was so substantial that it caused the Menu Creator system to become inoperable while the font changes were made to all of the menus," the complaint alleges. "Company A was forced to take the Menu Creator application offline while they reverted to backups to regain the ability to operate."
Additionally, Scheuer allegedly disabled employee accounts during his hacking campaigns. He allegedly locked at least 14 Disney employees out of their accounts by continually attempting to log on to their accounts with incorrect passwords. Scheuer used a bot to attempt over 100,000 logons to their accounts, rendering them unusable, according to the complaint.
Scheuer also allegedly altered Disney menu QR codes to direct people to a website advocating for the boycott of businesses associated with Israel, according to the complaint. Disney printed the altered QR codes but identified and removed them before shipping to any restaurants, according to the complaint.
Scheuer's cyberattacks cost Disney at least $150,000, the complaint alleges.