Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information (404media.co) 102

An anonymous reader shares a report: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World's restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.

The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.

"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.

Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information

Comments Filter:
  • Ah not to worry. (Score:4, Insightful)

    by Anonymous Coward on Wednesday October 30, 2024 @11:24AM (#64906277)

    Even if there were allergy problems that arose from this, chances are the victim would be a Disney+ subscriber, so Disney is legally in the clear!

    • Would be funny if peanut allergy was not actually lethal.

      • Of course! .... but maybe https://www.youtube.com/watch?... [youtube.com]
      • Re: (Score:2, Interesting)

        by cayenne8 ( 626475 )

        Would be funny if peanut allergy was not actually lethal.

        Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?

        There was NO such thing when I grew up as a kid....peanuts were at schools...hell on any given day, I'd say half the kids lunches in elementary school were PB&J's.....

        No scares...no mass dying of peanuts.

        So, what the hell caused this in the past couple decades?

        • Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?

          Agent Orange, perhaps?

        • Re:Ah not to worry. (Score:4, Informative)

          by transwarp ( 900569 ) on Wednesday October 30, 2024 @12:47PM (#64906635)
          We know that lack of exposure to peanuts as a baby can cause it (or exposure can prevent it, whichever way you want to see it). Studies with ethnic groups in the US and abroad where the US population didn't have peanuts in their babies' diets basically ruled out strong genetic factors.

          Now, I doubt the US baby peanut intake used to be high, so there's probably another thing causing the allergy to manifest after they're not pre-emptively exposed.
          • by RobinH ( 124750 )
            What's changed is that we went through a phase where expectant mothers were told not to eat peanuts or peanut butter. I suspect the kids born during that time-frame are more likely to be allergic. I know it's anecdotal but my wife ignored that advice and our kids don't have a peanut allergy. A mom friend of ours never ate peanut butter (she prefers nutella) and one of her kids has an allergy to peanuts (but not tree nuts). I suspect being exposed in the womb is similar to exposure as a baby.
        • For a while, peanut allergies caused peanut allergies. Overreaction to the peanut allergies led to parents delaying introducing peanuts and peanut butter to the diet and older kids not being allowed to take a PB&J sandwich to school. Lack of exposure leads to more allergies.

        • by lsllll ( 830002 )

          Jonathan Haidt talks about this exact topic in the last chapter of his book, The Coddling of the American Mind. It's due to overreaction on the parent's and community's side. Basically there were a few cases of peanut allergy and all of a sudden everyone thoughts "No big deal. I'll just keep my kids away from peanuts." But by keeping the kids away from them, their bodies didn't learn to cope with the possible allergen at an early age and then it was too late.

          The same thing happened with parents not allo

        • by Nite_Hawk ( 1304 )

          No one really knows yet. We have immune system issues in my family ranging from Crohn's disease (both myself and my father) to nut and egg allergies. Some of the research that's come out specific to Crohn's disease is that people who live in or immigrate to western societies are more likely to develop it. There's also a correlation between Crohn's disease and northern latitudes. There appears to be both a biological and an environment component to it, but more people are getting it now than ever, but th

          • by kackle ( 910159 )
            Tack on to that that much of our immune systems' functionality comes from our gut (microbiome). And the poisons currently used on our food supply against weeds, insects and germs have been demonstrated to disrupt that microbiome. Oops.
        • by skam240 ( 789197 )

          There was NO such thing when I grew up as a kid....peanuts were at schools...hell on any given day, I'd say half the kids lunches in elementary school were PB&J's.....

          You mean peanut allergies were so rare that schools didnt bother caring because the odds were incredibly strong that they didnt have any students with one.

          • So, wait, am I hearing that PB&J's are banned at schools now?

            • So, wait, am I hearing that PB&J's are banned at schools now?

              I was shocked to hear a few years ago, from a parent that they said emphatically "YES" any peanut food, including PB&J's were banned at schools, for fear of one of the sensitive kids getting exposed to it.....I was blown away at such a thing, but apparently it is a thing.

        • by dbialac ( 320955 )
          Probably because they were dead.
        • Probably a mix of peanut allergy awareness and the generally greater amount of food diversity in a globalized economy.

          Peanut allergies generally come from not being exposed to peanuts at a young age. So as peanut allergy awareness went up, parents became scared to give their kids peanuts, which in turn means they're likely giving their kids peanuts allergies. Add in the schools that forbid peanuts because one kid has an allergy and it exacerbates the problem. There was even a period where the federal govern

        • This is a long and convoluted story

          Around 2000 doctors were concerned about a relatively rare malady that occurs when infants eat adult foods and experience a nearly fatal response

          It occurs in about 1 in 10,000 children, and as a result the American Pediatrics Association published a suggestion that parents strictly limit exposure of infants to anything but formula for the first six month of life

          The net results of this were a tragic rise in the instance of food allergies, particularly involving peanuts, but

        • My son (8) has a peanut allergy. I asked his allergist about the cause and was told me that there's no clear consensus. There is apparently lots of evidence pointing to environmental causes and also lots of evidence pointing to genetic causes, while the actual truth probably has elements of both. It's also possible that different people have different causes.

          In a way he's lucky because he's repulsed by even the smell, and his reaction seems to be to vomit instead of going onto anaphylactic shock. I'm
      • He should have went for the lactose intolerance angle and gave most people diarrhea instead of trying to commit murder.

        I wish more people would ask me about alternatives to murder. I'm REALLY good at not running around like a lunatic and murdering people.

        Hell, he could have taken up basket weaving. Maybe make designs showing the Steamboat Willie version of Mickey Mouse having steamy romance with Peg-Leg Pete.

      • Apparently, you didn't get the joke [npr.org], but I do wonder if these cases are curiously related.
    • Oh, Disney is definitely in the clear. The guy who did the hacking? He's gonna do prison time. For sure.
      • by taustin ( 171655 )

        I do hope the charge is attempted murder, since that's what it is. And he should face one count (with consecutive sentences) for each Disney customer with a peanut allergy. Should be good for a few hundred thousand years behind bars.

    • "By any of your bodily senses ever picking up on anything Disney, you automatically agree to never sue us."
  • Obvious Question (Score:5, Informative)

    by Rinnon ( 1474161 ) on Wednesday October 30, 2024 @11:28AM (#64906285)
    Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.
    • Whoa! You want someone to take responsibility? And do their job?

      This is 2024, pal, not 1954. You're talking about the bad old days.

      Stop complaining and be happy.

    • by Joviex ( 976416 )

      Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.

      Still have my accounts (active) after leaving 3 years ago. Its amazing, aint it? They fire the capable, and keep the morons.

      • - passwords deactivated
        - security keycard deactivated
        - The supervisor with at least 2 big burly security guards walks up to the worker
        - "You're fired"
        - 5 minutes with the big burly security guards flanking the worker as he clears his desk of all personal items
        - worker escorted of premisis /\
        --- all done in that order

        Yes, it's as cold, heartless, and efficient as it sounds, and I'm very surprised Disney does not do this.

        • I am guessing this is related to cloud hosted services with shared passwords. Two great gotchas for proper security protocols.

        • The perp walk is evil and unnecessary. Revoke permissions and have security trail him at a discrete distance.
          • Revoke permissions and have security trail him at a discrete distance.

            Because that is so much better. Nothing like walking out of the office and someone trailing you while watching your every move. Sounds like the other side of the Berlin Wall back in the day.
            • It lets the former employee ask around for references, exchange contact information, swap final favors and offers much more dignity.
          • At Evil, Co., as part of our environmental responsibility initiative, we push terminated employees into the protein recycling vats.

        • You're wrong.

          It's usually 15 minutes you're allowed before getting manhandled.

        • You kind of assume that both the IT department and management are organized well enough to do something in less than a week's time.

    • Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.

      As long as Disney can point to one specific culprit, already fired, they'll do so. Never mind shit policy and the entire chain of failure that led to this incident. Corporations are not responsible for anything. Individuals are. Unless its systemic and the only culprits sit on the board. Then nobody's responsible. It's just good business.

      • Disney didn't force or even incentivize him to do this. Failing to prevent somebody from willfully committing a crime is not a crime.

        Committing a crime is a crime.

        • by gweihir ( 88907 )

          On the other hand, not revoking access is gross negligence. You know, the kind that makes you liable.

          • I agree that if this guy had managed to kill somebody they would have sued Disney not the guy, and failing to cut off his access would have cost Disney bigtime in that case.
    • Happens all the time. It is HR's job to offboard people and IT's job to remove their access. In any large organization, the communication between two groups reporting to different people is usually very poor. Even assuming HR remembers to inform IT, there is no reason to believe that there is someone in that organization whose job it is to take care of it.
      • Especially when "IT" means a mix of outsourcing companies which handle wildly different credential suites and access solutions.
        This happens in pretty much every corporation. Single Sign On is a wet dream.

      • Yeah, my old boss would regularly forget to tell me when people left or were let go. I'd eventually hear about it through random conversation and have to do periodic audits to check if any of these people were still working for us.

        Fortunately I practiced the principle of least privilege, so only a select few people (basically just 3 people, including myself) could do significant damage, and those were people I would know were gone pretty quickly. We also had very low turnover.

    • Maybe cut people a severance check once in a while. The classic: "No hard feelings. Here's 6 weeks if you promise to GTFO"

    • by Njovich ( 553857 )

      The person that was fired should not criminally use systems after they get fired. Period. That's 'his job'. While it's a good habit to throw out old employee accounts, still having an old password does not make it OK to still use it in a way that harms the company or other people.

    • That job was moved overseas. Just like their turd party menu system.
    • Hello?!? the whole point of this statement is to distance themselves from the appropriate consequences - doh!

  • by Rosco P. Coltrane ( 209368 ) on Wednesday October 30, 2024 @11:33AM (#64906305)

    to put people's lives at risk because you have a beef with your employer.

    • The other things could be written off like pranks, but messing with allergy info isn't okay.

      • by Ksevio ( 865461 )

        Especially in that manner. If he had changed it so it said something like the Swedish Fish may contain shellfish that would be kind of funny and people with allergies could at least err on the side of caution and not eat anything

      • by gweihir ( 88907 )

        If somebody gets hurt or dies, it falls under (attempted) manslaughter. You have to be _really_ stupid to do something like this.

        • by sconeu ( 64226 )

          Depending on the jurisddiction, it could be considered Felony Murder.

          I'm not sure if Federal law includes such a provision.

    • The guy is a real mental case, but people typically don't just become that way for nothing. Something rotten led up to this even before he was terminated.
      • The guy is a real mental case, but people typically don't just become that way for nothing. Something rotten led up to this even before he was terminated.

        A mentally healthy person doesn't act like this no matter how badly they get treated at work.

        • by dbialac ( 320955 )
          What I've seen is that either a mentally healthy person has already found another job when their supervisors are abusive, or because other people in the organization like them, they get promoted over the supervisor and the former supervisor gets canned. Relationships matter, folks. It's not what you know, it's who you know and how you behave towards them.
        • by gweihir ( 88907 )

          Clearly. Why does this even need to be stated?

    • by gweihir ( 88907 )

      Indeed. However there are many crappy human beings that think the world is all about them and others do not matter.

    • by RobinH ( 124750 )
      Yeah, that's what I thought. This guy could easily end up with a manslaughter charge if something bad happened.
  • Bit of an armchair lawyer here but comparing this to somewhat similar cases, this guy is going to jail FOREVER. He'll probably lawyer up and waste his life savings on it and get a plea deal or some nonsense if Disney doesn't swing their weight around on this one. But it's basically FDA food manipulation territory and attempted murder but without a specific victim, which they could classify as terrorism if they really wanted to stretch it. Also, use of Wingdings is punishable by death.
    • Jigsaw: Let's play a game. Wingdings, Comic Sans, or prison. Which do you choose?

      • by CEC-P ( 10248912 )
        If Comic Sans is mandatory in any place in civilized society, you're not keeping society safe from me by throwing me into prison, you're keeping me safe from society.
    • by JBMcB ( 73720 )

      Did you read an article? The guy was a total nut. He had information on coworkers addresses and families. Hacking and FDA violations are the tip of the iceberg.

  • "The complaint alleges he did this soon after being fired by Disney ***using passwords that he still had access to on several different systems.***" Dumb, dumb, and dumb. I bet they didn't deactivate his key card before telling him he was fired either.
  • That's clear attempted murder, should be taken very seriously. Why are they only charging him with "computer fraud" .. he tried to kill people.

  • by iAmWaySmarterThanYou ( 10095012 ) on Wednesday October 30, 2024 @12:05PM (#64906439)

    Why do people do post-firing hacking on their former employer?

    They fired you. That sucks. You're not getting your job back. Work on your resume and move on. You hate them so much and cared so much about some dumb job and your stupid boss that you'd go to prison and fuck up your whole life to inflict some temporary harm on them? Super fucking crazy. No wonder he got fired. He was a psycho and a bad hire in the first place.

    Be it your former job or your ex-spouse or bf/gf or bff or your dog runs away, just move the fuck on. There is no benefit to going psycho on people who are now your past.

    • by King_TJ ( 85913 )

      I mean, I'm not saying you're wrong for 99% of situations. (You knew when you were hired that the employment could be terminated at any time, etc. etc.)

      But the fact this guy specifically went after the restaurant menus and the peanut allergies in particular, just after all the news came out about Disney's ridiculous fight not to compensate a family for serving peanuts in food despite being instructed the person had a peanut allergy? That looks more like a type of guerilla corporate warfare move than a perso

      • Corporate warfare? Am I reading that right? To me that means he was doing harm as a paid agent of some Disney competitor. Is that what you meant?

        • by King_TJ ( 85913 )

          Uh, not necessarily -- though that's an interesting possibility that I'm sure has been the case in some of these other corporate hacks by former employees.

          I'm not sure what term you'd prefer... maybe an "activist" sounds better to you?

          My general point here is, a LOT of people feel the Disney corporation is a pretty evil one, these days. I don't see how anyone paying attention can mistakenly believe they're the exact same type of company they were back when Walt was in charge of it?

          • Sure, they're a lot different than Walt's day but I'm just seeing a guy who abused whatever access he still had to fuck shit up because he was mad at getting fired. He likely wasn't fucking shit up (intentionally) when he still employed; he was happy enough working there until he suddenly wasn't then went ape shit and fucked himself for nothing. There's no evidence of hacktivism I'm aware of.

            At least if he was a paid corporate agent that would make some sense if the pay was high enough. But to do childis

      • by Rinnon ( 1474161 )

        I think you're giving this guy way too much credit, and your explanation of the event in question is unnecessarily complex compared to the obvious and simple one. (Occam's Razor)

        This is a guy who, even as you put it:

        [...] was not being smart enough to cover their tracks better. If you're recently terminated AND you had access to the systems in question, you're going to be right at the top of their suspect list.

        I see no reason to suggest that it is more likely that his actions were a part of some clandestine activism, as opposed to the simple explanation that he was angry with his former employer.

        As a bit of a tangent, (not directed at you specifically to be clear, it just makes me think about it),

    • by gweihir ( 88907 )

      Why do people do post-firing hacking on their former employer?

      Because these people are deeply stupid and think it is all only about them. Gigantic egos, rather small skills. Common occurrence these days.

      There is no benefit to going psycho on people who are now your past.

      Indeed. But it takes a rational mind and some pragmatism to see that. There are plenty of people that fail this test.

    • Why do people do post-firing hacking on their former employer?... You're not getting your job back...

      Maybe you have a mellower temperament, but when a good portion of people are angry they are not thinking rationally. Reptilian fight-or-flight instincts kick in, and the urge to cause instant harm as retaliation is set to level 11.

      When I get riled up I try to go for a jog or long walk to burn off excess energy caused by adrenaline. Plus the journey gives me time to mellow out and think clearer. (Passer-by's

      • > Maybe you have a mellower temperament

        Lol, I've been called all sorts of things throughout my life but that's a first :-)

        Seriously though, I've worked about a dozen startups, for the Feds, for the state, for huge and medium corporations. I've survived countless layoffs, office ninja'd my way out of one firing, been laid off several times as the startups went under, been fired once and rage quit twice. But at no time ever have I ever no matter how badly or unfairly I was sometimes treated ever once con

  • You never let someone leave the company with working access credentials if they don't need them. Whoever dropped the ball is just as liable as the guy who changed the menus. This is also why it's absolutely forbidden to use a single admin account for everything, or to share user accounts. Moreover, MFA is also important for this reason, because once a person leaves, they should generally stay out.
    • by Bert64 ( 520050 ) <bert.slashdot@firenzee@com> on Wednesday October 30, 2024 @12:31PM (#64906549) Homepage

      In 99.9% of cases you can make this fuckup and nothing will happen, because the vast majority of people are ethical and won't do anything even if their accounts are still valid. Leaving access open is EXTREMELY common.

      As a consultant i often have temporary accounts to my customer's equipment, i've frequently received alerts weeks/months later, or gone back for another contract and found that consultant accounts (either mine or others) are still present for consultants who finished their work months or even years earlier, or that shared passwords have not been changed.

      You can get away with this in 99.9% of cases, it's only in the 0.1% you accidentally hire someone who's crazy and they do something like the story mentions.

      Trying to explain to people why this is a bad idea usually falls on deaf ears. Having a single shared password that everyone knows is a lot less work than managing individual accounts, and the extra cost is not considered worth it for the .1% risk.

      • I worked at a company as the lead engineer, 7 years ago, and my access was never terminated, to this day, I can still log in to all the management systems, seriously! I've alerted everyone at the company, including the owners' wife, and no one will take my account away. The account is not IP locked, it's not geo-locked, there are no restrictions on it, and if you access it, you can get full root level access to all the servers.

        The "new" IT guy who took over when I left, hated SSH Keys, so it's only p
      • by Baron_Yam ( 643147 ) on Wednesday October 30, 2024 @01:11PM (#64906737)

        I always, as my last action, disabled my own account of I have access to do so, and request it be done if I don't.

        It's not for their protection against me; it's for mine against them. I don't want to be a suspect if anything weird happens after I've left.

    • by gweihir ( 88907 )

      Whoever dropped the ball is just as liable as the guy who changed the menus.

      Civil liability? Clearly. Maybe even more so.

      • In today's climate of cyberattack aware, I hope someone gets in serious trouble for this. The real issue is that an account was left open, for a non-active employee, it doesn't matter what that employee did. When you leave an account open, what else have you left open?

        Last week I reviewed an old VM that another guy was maintaining, the number of IPs in the rule lists for RDP, and SSH was head shaking. He kept adding his new IP, but never removing the old ones, and after 4+ years, there was a huge set
  • by Malay2bowman ( 10422660 ) on Wednesday October 30, 2024 @12:19PM (#64906501)
    It just dawned on me that if he didn't do the profanity and wingdings, there is no telling how long the altered peanut allergy information would've gone unnoticed before someone might have gotten sick or died.
  • Damn, we thought Disney was the worst but taking peanut allergy info off of menus is a real concentrated bit of evil.

    One supposes this is Disney's available tech recruiting pool after what they paid Fritz Hollings to do?

    Still, attacking innocents like this is on par with the neverending pedo ring stings at Disney.

    Walt must be spinning in his cryogenic chamber.

  • One, it's sensational. Two, it doesn't make a whole lot of sense. Someone is smart enough to pull that off, but doesn't understand the extreme difference between embarrassing a company and endangering lives? This source offers a lot of sensational content with minimal external overlap. My skepticism of it grows with time.
    • by gweihir ( 88907 )

      It is not hard to do something like this if you have access and maybe even worked on this before.

      • Doesn't have to be a feat for the ages to require the minimal intelligence that could tell apart a property crime from a potential attack on human life. And like I say, I don't trust this source. They keep dishing out very sensational stories.
  • Once someone has been identified as a current or former Disney employee, is it redundant to note that they are disgruntled?

  • Changing the font to Wingdings is amusing but it would be even funnier if the hacker used Comic Sans or... wait for it... Papyrus.

If mathematically you end up with the wrong answer, try multiplying by the page number.

Working...