Ex-Disney employee gets 3 years in the clink for goofy attacks on mousey menus
(2025/04/29)
- Reference: 1745886363
- News link: https://www.theregister.co.uk/2025/04/29/former_disney_employee_jailed/
- Source link:
Former Disney employee Michael Scheuer was sentenced to 36 months in prison and fined almost $688,000 for screwing up a software application the entertainment giant used to cook up its restaurant menus.
Scheuer, a resident of Winter Garden, Florida, was [1]arrested in October and charged with breaking America's Computer Fraud and Abuse Act (CFAA) for accessing Disney IT systems without authorization, and with aggravated identity theft.
A [2]criminal complaint [PDF] was filed in federal court in Orlando, Florida. And the court accepted Scheuer's agreement to plead guilty to the CFAA and identity theft charges in January. Sentencing occurred last week.
[3]
Scheuer served as the Menu Production Manager for Disney prior to being fired on June 13, 2024, for misconduct. According to Disney, the termination was contentious and not amicable.
[4]
[5]
In July, as described in his guilty [6]plea agreement [PDF], Scheuer retaliated against the media powerhouse by making unauthorized changes to Disney restaurant menus through its Menu Creator application, hosted by an unidentified third-party based in Minnesota.
The changes included the replacement of fonts specified by the Menu Creator configuration file with [7]Wingdings .
[8]
"When launched Menu Creator reached out to the configuration file to retrieve what it believed to be the correct font; instead it retrieved the altered font files," the plea agreement explains. "These font changes propagated throughout the database resulting in each menu displaying the same generic font as opposed to the themed fonts applied to each menu. Further, this caused the Menu Creator system to become inoperable while the font changes were pushed to all of the menus."
Scheuer also made changes to menu images and background files, such that they loaded as blank white pages.
The app was down for one to two weeks for repairs and Disney no longer uses it.
[9]
To put an end to this initial attack, the animation titan limited access to the app and reset passwords.
Scheuer was able to attack the app three ways: One, by using an administrative account, accessing it through a commercial VPN called Mullvad; and two, using a URL-based access mechanism that was made available to contractors.
The use of a Mullvad VPN wasn't particularly confounding for investigators. The plea agreement observes, "The IP address used in this attack was from the same IP range that Scheuer used to logon to his [Disney] email account in the past, which was also a Mullvad IP address."
[10]Fired Disney staffer accused of hacking menu to add profanity, wingdings, removes allergen info
[11]Disney claims agreeing to Disney+ terms waives man's right to sue over wife's death
[12]Microsoft dials back Bing after users manage to recreate Disney logo in fake AI-generated images
[13]Disney kicks Slack to the curb, looks to Microsoft Teams for a happily ever after
A third approach involved targeting secure file transfer protocol (SFTP) servers maintained by the unidentified Menu Creator vendor to store menu files ready for printing or display on a menu screen. During an initial intrusion, Scheuer gained administrative access on the SFTP servers. And after being locked out of the Menu Creator app, he was able to use that access to alter the menus stored on the file server.
"Among the changes made by Scheuer to the menus were changes to allergen information and pricing," the plea agreement says. "As to the former, Scheuer added notations to menu items indicating they were safe for people with specific allergies, which could have had fatal consequences depending on the type and severity of a customer's allergy."
Other alterations included changing the wine regions to areas associated with mass shootings and the addition of graphics including a swastika.
A subsequent round of attacks on a different SFTP server involved altering QR codes on menus to load a website promoting a boycott of Israel.
The plea agreement indicates that while some of these altered menus were printed, it's believed all were all caught before they were distributed.
Scheuer also conducted denial of service (DoS) attacks intended to prevent Disney employees from logging in to their enterprise accounts. He ran an automated attack script that made more than 100,000 incorrect login attempts in an effort to have the accounts locked down. Fourteen employees are said to have been affected in this way.
The court filing says the FBI served a warrant to search Scheuer's residence on September 23, 2024, "and the DoS attacks ceased minutes before the agents first made contact with Scheuer and have not restarted since the seizure of his computer."
Agents report finding various virtual machines used to conduct the attacks and a doxxing file containing personal information on five Disney employees and the mother of one of these workers.
At the end of his imprisonment, Scheuer faces three years of supervised release with various conditions including a ban on contact with the corporation and individual victims. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/10/30/fired_disney_employee_hacks_menu/
[2] https://storage.courtlistener.com/recap/gov.uscourts.flmd.436495/gov.uscourts.flmd.436495.1.0.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://storage.courtlistener.com/recap/gov.uscourts.flmd.436495/gov.uscourts.flmd.436495.33.0.pdf
[7] https://learn.microsoft.com/en-us/typography/font-list/wingdings
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2024/10/30/fired_disney_employee_hacks_menu/
[11] https://www.theregister.com/2024/08/15/disney_plus_death_lawsuit_waive/
[12] https://www.theregister.com/2023/11/20/ai-in-brief/
[13] https://www.theregister.com/2024/09/20/disney_slack_microsoft_teams/
[14] https://whitepapers.theregister.com/
Scheuer, a resident of Winter Garden, Florida, was [1]arrested in October and charged with breaking America's Computer Fraud and Abuse Act (CFAA) for accessing Disney IT systems without authorization, and with aggravated identity theft.
A [2]criminal complaint [PDF] was filed in federal court in Orlando, Florida. And the court accepted Scheuer's agreement to plead guilty to the CFAA and identity theft charges in January. Sentencing occurred last week.
[3]
Scheuer served as the Menu Production Manager for Disney prior to being fired on June 13, 2024, for misconduct. According to Disney, the termination was contentious and not amicable.
[4]
[5]
In July, as described in his guilty [6]plea agreement [PDF], Scheuer retaliated against the media powerhouse by making unauthorized changes to Disney restaurant menus through its Menu Creator application, hosted by an unidentified third-party based in Minnesota.
The changes included the replacement of fonts specified by the Menu Creator configuration file with [7]Wingdings .
[8]
"When launched Menu Creator reached out to the configuration file to retrieve what it believed to be the correct font; instead it retrieved the altered font files," the plea agreement explains. "These font changes propagated throughout the database resulting in each menu displaying the same generic font as opposed to the themed fonts applied to each menu. Further, this caused the Menu Creator system to become inoperable while the font changes were pushed to all of the menus."
Scheuer also made changes to menu images and background files, such that they loaded as blank white pages.
The app was down for one to two weeks for repairs and Disney no longer uses it.
[9]
To put an end to this initial attack, the animation titan limited access to the app and reset passwords.
Scheuer was able to attack the app three ways: One, by using an administrative account, accessing it through a commercial VPN called Mullvad; and two, using a URL-based access mechanism that was made available to contractors.
The use of a Mullvad VPN wasn't particularly confounding for investigators. The plea agreement observes, "The IP address used in this attack was from the same IP range that Scheuer used to logon to his [Disney] email account in the past, which was also a Mullvad IP address."
[10]Fired Disney staffer accused of hacking menu to add profanity, wingdings, removes allergen info
[11]Disney claims agreeing to Disney+ terms waives man's right to sue over wife's death
[12]Microsoft dials back Bing after users manage to recreate Disney logo in fake AI-generated images
[13]Disney kicks Slack to the curb, looks to Microsoft Teams for a happily ever after
A third approach involved targeting secure file transfer protocol (SFTP) servers maintained by the unidentified Menu Creator vendor to store menu files ready for printing or display on a menu screen. During an initial intrusion, Scheuer gained administrative access on the SFTP servers. And after being locked out of the Menu Creator app, he was able to use that access to alter the menus stored on the file server.
"Among the changes made by Scheuer to the menus were changes to allergen information and pricing," the plea agreement says. "As to the former, Scheuer added notations to menu items indicating they were safe for people with specific allergies, which could have had fatal consequences depending on the type and severity of a customer's allergy."
Other alterations included changing the wine regions to areas associated with mass shootings and the addition of graphics including a swastika.
A subsequent round of attacks on a different SFTP server involved altering QR codes on menus to load a website promoting a boycott of Israel.
The plea agreement indicates that while some of these altered menus were printed, it's believed all were all caught before they were distributed.
Scheuer also conducted denial of service (DoS) attacks intended to prevent Disney employees from logging in to their enterprise accounts. He ran an automated attack script that made more than 100,000 incorrect login attempts in an effort to have the accounts locked down. Fourteen employees are said to have been affected in this way.
The court filing says the FBI served a warrant to search Scheuer's residence on September 23, 2024, "and the DoS attacks ceased minutes before the agents first made contact with Scheuer and have not restarted since the seizure of his computer."
Agents report finding various virtual machines used to conduct the attacks and a doxxing file containing personal information on five Disney employees and the mother of one of these workers.
At the end of his imprisonment, Scheuer faces three years of supervised release with various conditions including a ban on contact with the corporation and individual victims. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/10/30/fired_disney_employee_hacks_menu/
[2] https://storage.courtlistener.com/recap/gov.uscourts.flmd.436495/gov.uscourts.flmd.436495.1.0.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://storage.courtlistener.com/recap/gov.uscourts.flmd.436495/gov.uscourts.flmd.436495.33.0.pdf
[7] https://learn.microsoft.com/en-us/typography/font-list/wingdings
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBFL8F889TeecXgYWLNpOgAAA00&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2024/10/30/fired_disney_employee_hacks_menu/
[11] https://www.theregister.com/2024/08/15/disney_plus_death_lawsuit_waive/
[12] https://www.theregister.com/2023/11/20/ai-in-brief/
[13] https://www.theregister.com/2024/09/20/disney_slack_microsoft_teams/
[14] https://whitepapers.theregister.com/
Re: And yet Disney kill someone...
Erythrite
Florida man...
Re: And yet Disney kill someone...
Korev
Don't take the Mick!
Disney menus?
Anonymous Coward
I thought everything was just made from sugar and fat.
Jamie Jones
> "As to the former, Scheuer added notations to menu items indicating they were safe for people with specific allergies, "
From stupid bastard to evil bastard.
Phil O'Sophical
Yrs, never mind computer misuse, that is verging on GBH, if not attempted murder.
SVD_NL
Right, disrupting Disney restaurants is one thing (you could argue he indirectly saved some lives there), but changing allergen information has serious consequences, people could have died here.
What if he was less stupid and more evil, and would've only changed the allergen information? How long would it take to notice, and how long would dangerous menus remain in circulation?
Potemkine!
A Menu Production Manager having administrator rights on a SFTP server ? There's a problem with segregation of duties in Disney. He should be a user, not an administrator.
Korev
Yeah, it makes Disney look like some Micky Mouse outfit
Doctor Syntax
And he's a muppet so obviously in the wrong place.
The Oncoming Scorn
The Muppets were acquired by the Walt Disney Company in 2004.
Which makes Miss Piggy a Disney Princess.
Anonymous Coward
... Would you want to try to tell her otherwise?
The Oncoming Scorn
I can see why you went AC for that post.
And a $688,000 fine.
mikeinaustin
He doesn't need a house anyway.
What an idiot.
Re: And a $688,000 fine.
CorwinX
Messing up a menu for revenge is one thing.
Messing around with allergen info is a whole different ballgame.
He'd be up on manslaughter charges if someone had died.
I worked as a waiter for a number of years and, regardless of the menu, you always ask if anyone at a table has any allergies - Nut and Seafood being the most critical.
And we had Epipens on hand in the first-aid kit just in case.
And yet Disney kill someone...
...by not labelling allergens correctly and they insist the widow goes to arbitration.
Don't you love how money is everything.