News: 1730301159

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Fired Disney staffer accused of hacking menu to add profanity, wingdings, removes allergen info

(2024/10/30)


A disgruntled ex-Disney employee has been arrested and charged with hacking his former employer's systems to alter restaurant menus with potentially deadly consequences.

Michael Scheuer was [1]charged [PDF] and arrested last week for allegedly violating the Computer Fraud and Abuse Act on three occasions by breaking into a former employer's systems. Disney is not named in the complaint, but The Register has been told they are the company in question, and Scheuer's former employer.

Fired from his role at Disney as a menu production manager in June for what the complaint notes was unspecified "misconduct," the dismissal "was contentious and was not considered to be amicable," according to court documents signed by US magistrate judge Daniel Irick in what appears to be crayon (see page 25 of [2]this PDF ).

[3]

Scheuer allegedly went into action quickly following his termination, and by early July was said to have used his work credentials, which still functioned after his termination, to access the menu creation system Disney contracted another company to create and change all the fonts in the system to wingdings symbols.

[4]

[5]

"The fonts were renamed by the threat actor to maintain the name of the original font, but the actual characters appeared as symbols," the complaint alleged.

"When launched, Menu Creator reached out to the configuration files to retrieve what it believed to be the correct font, instead, it retrieved the altered font files," the document continued. "As a result of this change, all of the menus within the database were unusable because the font changes propagated throughout the database."

[6]

According to the complaint, the changes knocked the system offline for a couple of weeks, requiring backup restoration to fix.

In addition to the font changes, Scheuer also allegedly used his credentials to download menus waiting to be printed and altered them to redirect menu QR codes to a website urging visitors to boycott Israel over its invasion of Gaza.

Most critically, however, Scheuer is also accused of having downloaded menus and altered them to eliminate allergen information, suggesting foods were safe when they weren't. As the complaint notes, this could have deadly consequences - something [7]Disney is already familiar with .

[8]

"It is believed these menus were identified and isolated by [Disney] prior to being shipped out to restaurants and were not distributed further," the complaint noted. The same thing happened with menus containing the altered QR codes.

Scheuer was also accused of being behind several denial of service attacks on a number of Disney employees he had allegedly had prior contact with by developing a script to hammer account login pages with incorrect login attempts.

Multiple VPNs

A search of his home and computers suggests he tried to use the Mullvad VPN to hide his tracks, but IP records were able to identify his likely use of the app to commit his intrusions - including the fact that similar Mullvad-linked IP addresses had been utilized by Scheuer while employed at Disney to access his work accounts. Multiple virtual machines were also found on Scheuer's computer that contained evidence they were used in the attack.

[9]Disney kicks Slack to the curb, looks to Microsoft Teams for a happily ever after

[10]Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil

[11]Wells Fargo fires employees accused of faking keyboard activity to pretend to work

[12]Cloud engineer wreaks havoc on bank network after getting fired

Most critically, the complaint claims, personal information on several of the Disney employees targeted for DoS attacks were found in a folder on the desktop of one of Scheuer's VMs labeled "dox," as well as PII belonging to one of the employee's relatives.

According to the complaint, Scheuer also showed up on the porch of one of the DoS victims' homes shortly after being told by the FBI that a search warrant had been issued for his Google account.

All said, the FBI believes its investigation makes it clear Scheuer is the culprit, and has charged him with two violations of the CFAA "specifically that he knowingly and without authorization caused the transmission of a program, information, code, or command to intentionally cause damage to a protected computer and caused loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value," the FBI agent attesting the case concluded.

It's not immediately clear how long Scheuer could face in prison if convicted, but it could be up to 15 years [13]based on sentencing guidelines.

Scheuer remains in jail pending a bond hearing, a date for which hasn't been set. Disney did not respond to questions for this story. ®

Get our [14]Tech Resources



[1] https://regmedia.co.uk/2024/10/30/disney-menu-hacker-complaint.pdf

[2] https://regmedia.co.uk/2024/10/30/disney-menu-hacker-complaint.pdf

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZyJmNNJudNbAEDmQc2ypeAAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZyJmNNJudNbAEDmQc2ypeAAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZyJmNNJudNbAEDmQc2ypeAAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZyJmNNJudNbAEDmQc2ypeAAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/08/15/disney_plus_death_lawsuit_waive/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZyJmNNJudNbAEDmQc2ypeAAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2024/09/20/disney_slack_microsoft_teams/

[10] https://www.theregister.com/2024/07/24/knowbe4_north_korean/

[11] https://www.theregister.com/2024/06/13/wells_fargo_fires_employees/

[12] https://www.theregister.com/2023/12/12/cloud_engineer_bank_prison/

[13] https://www.nacdl.org/Landing/ComputerFraudandAbuseAct

[14] https://whitepapers.theregister.com/



Ancient American Proverb

DJO

Wisdom handed down from father to son for countless generations (well 3 or 4 if you want to be pedantic - ancient wisdom has to start somewhere):

"Don't fuck with The Mouse."

Fired Disney staffer accused of hacking

Kane

Calling it "hacking" sounds like a bit of a stretch

Re: Fired Disney staffer accused of hacking

JoeCool

renaming the font file so that it would be picked up as the correct font, then propogated through the db, and requiring 2 weeks to recover, from a backup. that shows pretty good abuse of internal system design. that's a quality hack.

His attempts to hide his trail

Andy Non

were a bit goofy, now he's well and truly Daffy Ducked.

MENU

Porridge

Porridge

Porridge

Re: His attempts to hide his trail

Korev

That's a bit Cruella

mobailey

He should have just let it go.

Korev

They should have Frozen his account...

Sounds like they really need to fire more people!

TeeCee

1) ...his work credentials, which still functioned after his termination . That means whoever's in charge of your HR exit process should be looking for a new job about now.

2) ..a couple of weeks, requiring backup restoration to fix. If it takes two bloody weeks to restore your menu system, then whoever's running your data centre and whoever signed off on the backup / recovery process being fit for purpose should also be gone by now.

3) ...redirect menu QR codes... No need to do anything about this, QR codes are an exploit looking for a gullible idiot to happen to anyway. Still, knowing that, someone decided to use them and that person should be getting nervous.

Disney villain act.

Luiz Abdala

I wanna see some Disney villain doing that on the next Ratatouille or something, changing all the menus to Wingdings and removing the allergen warnings.

And karma turning on his head, as the villain is violently allergic to peanuts and choking to death on them.

=======================

Geez, that could have been qualified as terrorism or attempted murder.

.. Pictures...

_Elvi_

.. Or it didn't happen ....

Seriously, I'm sure its a bit of a laugh..

( I would hope the staff still informed they, with food allergies of the content )

unfair competition, n.:
Selling cheaper than we do.