Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information (404media.co) 102
An anonymous reader shares a report: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World's restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.
The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.
"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.
The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.
"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.
Ah not to worry. (Score:4, Insightful)
Even if there were allergy problems that arose from this, chances are the victim would be a Disney+ subscriber, so Disney is legally in the clear!
Re: (Score:2)
Would be funny if peanut allergy was not actually lethal.
Re: (Score:1)
Re: (Score:2, Interesting)
Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?
There was NO such thing when I grew up as a kid....peanuts were at schools...hell on any given day, I'd say half the kids lunches in elementary school were PB&J's.....
No scares...no mass dying of peanuts.
So, what the hell caused this in the past couple decades?
Re: (Score:2)
Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?
Agent Orange, perhaps?
Re:Ah not to worry. (Score:4, Informative)
Now, I doubt the US baby peanut intake used to be high, so there's probably another thing causing the allergy to manifest after they're not pre-emptively exposed.
Re: (Score:2)
Re: (Score:2)
For a while, peanut allergies caused peanut allergies. Overreaction to the peanut allergies led to parents delaying introducing peanuts and peanut butter to the diet and older kids not being allowed to take a PB&J sandwich to school. Lack of exposure leads to more allergies.
Re: (Score:2)
Jonathan Haidt talks about this exact topic in the last chapter of his book, The Coddling of the American Mind. It's due to overreaction on the parent's and community's side. Basically there were a few cases of peanut allergy and all of a sudden everyone thoughts "No big deal. I'll just keep my kids away from peanuts." But by keeping the kids away from them, their bodies didn't learn to cope with the possible allergen at an early age and then it was too late.
The same thing happened with parents not allo
Re: Ah not to worry. (Score:2)
Re: (Score:3)
No one really knows yet. We have immune system issues in my family ranging from Crohn's disease (both myself and my father) to nut and egg allergies. Some of the research that's come out specific to Crohn's disease is that people who live in or immigrate to western societies are more likely to develop it. There's also a correlation between Crohn's disease and northern latitudes. There appears to be both a biological and an environment component to it, but more people are getting it now than ever, but th
Re: (Score:2)
Re: (Score:1)
There was NO such thing when I grew up as a kid....peanuts were at schools...hell on any given day, I'd say half the kids lunches in elementary school were PB&J's.....
You mean peanut allergies were so rare that schools didnt bother caring because the odds were incredibly strong that they didnt have any students with one.
Re: (Score:2)
So, wait, am I hearing that PB&J's are banned at schools now?
Re: (Score:1)
I was shocked to hear a few years ago, from a parent that they said emphatically "YES" any peanut food, including PB&J's were banned at schools, for fear of one of the sensitive kids getting exposed to it.....I was blown away at such a thing, but apparently it is a thing.
Re: (Score:2)
Re: Ah not to worry. (Score:2)
Probably a mix of peanut allergy awareness and the generally greater amount of food diversity in a globalized economy.
Peanut allergies generally come from not being exposed to peanuts at a young age. So as peanut allergy awareness went up, parents became scared to give their kids peanuts, which in turn means they're likely giving their kids peanuts allergies. Add in the schools that forbid peanuts because one kid has an allergy and it exacerbates the problem. There was even a period where the federal govern
Re: (Score:2)
This is a long and convoluted story
Around 2000 doctors were concerned about a relatively rare malady that occurs when infants eat adult foods and experience a nearly fatal response
It occurs in about 1 in 10,000 children, and as a result the American Pediatrics Association published a suggestion that parents strictly limit exposure of infants to anything but formula for the first six month of life
The net results of this were a tragic rise in the instance of food allergies, particularly involving peanuts, but
Re: (Score:2)
In a way he's lucky because he's repulsed by even the smell, and his reaction seems to be to vomit instead of going onto anaphylactic shock. I'm
Re: (Score:2)
Re: (Score:2)
I am sorry that you allergist does not trust you enough to let you now what happened (see my documentation above)
Please go to this website and review the FDA suggested treatment for long-term resolution of peanut allergies
https://acaai.org/health-care-... [acaai.org]
There is a very good chance that you can keep your child from a life-long malady
Re: (Score:2)
He should have went for the lactose intolerance angle and gave most people diarrhea instead of trying to commit murder.
I wish more people would ask me about alternatives to murder. I'm REALLY good at not running around like a lunatic and murdering people.
Hell, he could have taken up basket weaving. Maybe make designs showing the Steamboat Willie version of Mickey Mouse having steamy romance with Peg-Leg Pete.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I do hope the charge is attempted murder, since that's what it is. And he should face one count (with consecutive sentences) for each Disney customer with a peanut allergy. Should be good for a few hundred thousand years behind bars.
Re: Ah not to worry. (Score:2)
Could be negligent homicide if it actually led to any deaths. But yeah, not murder.
Re: (Score:2)
Attempted murder is iffy. CFAA is a slam dunk. Remember, that's what Aaron Swartz was threatened with 35 years or so for.
Re: (Score:2)
Obvious Question (Score:5, Informative)
Re: (Score:1)
Whoa! You want someone to take responsibility? And do their job?
This is 2024, pal, not 1954. You're talking about the bad old days.
Stop complaining and be happy.
Re: (Score:3)
Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.
Still have my accounts (active) after leaving 3 years ago. Its amazing, aint it? They fire the capable, and keep the morons.
Re: (Score:2)
- passwords deactivated /\
- security keycard deactivated
- The supervisor with at least 2 big burly security guards walks up to the worker
- "You're fired"
- 5 minutes with the big burly security guards flanking the worker as he clears his desk of all personal items
- worker escorted of premisis
--- all done in that order
Yes, it's as cold, heartless, and efficient as it sounds, and I'm very surprised Disney does not do this.
Re: (Score:2)
I am guessing this is related to cloud hosted services with shared passwords. Two great gotchas for proper security protocols.
Re: (Score:1)
Re: (Score:2)
Because that is so much better. Nothing like walking out of the office and someone trailing you while watching your every move. Sounds like the other side of the Berlin Wall back in the day.
Re: (Score:1)
Re: (Score:2)
At Evil, Co., as part of our environmental responsibility initiative, we push terminated employees into the protein recycling vats.
Re: Obvious Question (Score:2)
You're wrong.
It's usually 15 minutes you're allowed before getting manhandled.
Re: (Score:2)
You kind of assume that both the IT department and management are organized well enough to do something in less than a week's time.
Re: (Score:2)
Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.
As long as Disney can point to one specific culprit, already fired, they'll do so. Never mind shit policy and the entire chain of failure that led to this incident. Corporations are not responsible for anything. Individuals are. Unless its systemic and the only culprits sit on the board. Then nobody's responsible. It's just good business.
Re: (Score:2)
Committing a crime is a crime.
Re: (Score:2)
On the other hand, not revoking access is gross negligence. You know, the kind that makes you liable.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Especially when "IT" means a mix of outsourcing companies which handle wildly different credential suites and access solutions.
This happens in pretty much every corporation. Single Sign On is a wet dream.
Re: Obvious Question (Score:2)
Yeah, my old boss would regularly forget to tell me when people left or were let go. I'd eventually hear about it through random conversation and have to do periodic audits to check if any of these people were still working for us.
Fortunately I practiced the principle of least privilege, so only a select few people (basically just 3 people, including myself) could do significant damage, and those were people I would know were gone pretty quickly. We also had very low turnover.
Re: Obvious Question (Score:2)
I imagine in the future, the bloodsports we'll be fed on TV will be HR-MMA, no holds barred fighting between HR employees, where you're allowed to bite and break the opponents limbs in the ring.
It will be a smash hit, I tell ya.
Re: Obvious Question (Score:2)
Yeah, it's nonsensical.
"We trust you with the keys to ruin our company, but we don't trust you enough to know about HR decisions."
What?
Re: (Score:3)
Maybe cut people a severance check once in a while. The classic: "No hard feelings. Here's 6 weeks if you promise to GTFO"
Re: (Score:2)
The person that was fired should not criminally use systems after they get fired. Period. That's 'his job'. While it's a good habit to throw out old employee accounts, still having an old password does not make it OK to still use it in a way that harms the company or other people.
Re: (Score:2)
Sure. The person that did this is a criminal moron. But the ones that failed to revoke access are grossly negligent morons.
Re: (Score:2)
Dude is looking at federal CFAA charges.
Re: (Score:2)
Re: (Score:1)
Hello?!? the whole point of this statement is to distance themselves from the appropriate consequences - doh!
Holy crap what a shitty human being you must be (Score:5, Informative)
to put people's lives at risk because you have a beef with your employer.
Re: (Score:3)
The other things could be written off like pranks, but messing with allergy info isn't okay.
Re: (Score:3)
Especially in that manner. If he had changed it so it said something like the Swedish Fish may contain shellfish that would be kind of funny and people with allergies could at least err on the side of caution and not eat anything
Re: (Score:2)
If somebody gets hurt or dies, it falls under (attempted) manslaughter. You have to be _really_ stupid to do something like this.
Re: (Score:2)
Depending on the jurisddiction, it could be considered Felony Murder.
I'm not sure if Federal law includes such a provision.
Re: (Score:2)
Re: (Score:2)
The guy is a real mental case, but people typically don't just become that way for nothing. Something rotten led up to this even before he was terminated.
A mentally healthy person doesn't act like this no matter how badly they get treated at work.
Re: (Score:2)
Re: (Score:2)
Clearly. Why does this even need to be stated?
Re: (Score:2)
Indeed. However there are many crappy human beings that think the world is all about them and others do not matter.
Re: (Score:2)
BIG legal trouble (Score:1)
Re: (Score:3)
Jigsaw: Let's play a game. Wingdings, Comic Sans, or prison. Which do you choose?
Re: (Score:1)
Re: BIG legal trouble (Score:2)
You're locked in here with me....
I have wingdings and comic sans, and I'm not afraid to use them.
FTA (Score:2)
Did you read an article? The guy was a total nut. He had information on coworkers addresses and families. Hacking and FDA violations are the tip of the iceberg.
Re: (Score:2)
Disney security protocol is so Mickey Mouse (Score:2)
Attempted murder, not "computer fraud" (Score:2)
That's clear attempted murder, should be taken very seriously. Why are they only charging him with "computer fraud" .. he tried to kill people.
Dumb fuck deserves prison (Score:3)
Why do people do post-firing hacking on their former employer?
They fired you. That sucks. You're not getting your job back. Work on your resume and move on. You hate them so much and cared so much about some dumb job and your stupid boss that you'd go to prison and fuck up your whole life to inflict some temporary harm on them? Super fucking crazy. No wonder he got fired. He was a psycho and a bad hire in the first place.
Be it your former job or your ex-spouse or bf/gf or bff or your dog runs away, just move the fuck on. There is no benefit to going psycho on people who are now your past.
Re: (Score:1)
I mean, I'm not saying you're wrong for 99% of situations. (You knew when you were hired that the employment could be terminated at any time, etc. etc.)
But the fact this guy specifically went after the restaurant menus and the peanut allergies in particular, just after all the news came out about Disney's ridiculous fight not to compensate a family for serving peanuts in food despite being instructed the person had a peanut allergy? That looks more like a type of guerilla corporate warfare move than a perso
Re: (Score:2)
Corporate warfare? Am I reading that right? To me that means he was doing harm as a paid agent of some Disney competitor. Is that what you meant?
Re: (Score:2)
Uh, not necessarily -- though that's an interesting possibility that I'm sure has been the case in some of these other corporate hacks by former employees.
I'm not sure what term you'd prefer... maybe an "activist" sounds better to you?
My general point here is, a LOT of people feel the Disney corporation is a pretty evil one, these days. I don't see how anyone paying attention can mistakenly believe they're the exact same type of company they were back when Walt was in charge of it?
Re: (Score:2)
Sure, they're a lot different than Walt's day but I'm just seeing a guy who abused whatever access he still had to fuck shit up because he was mad at getting fired. He likely wasn't fucking shit up (intentionally) when he still employed; he was happy enough working there until he suddenly wasn't then went ape shit and fucked himself for nothing. There's no evidence of hacktivism I'm aware of.
At least if he was a paid corporate agent that would make some sense if the pay was high enough. But to do childis
Re: (Score:3)
I think you're giving this guy way too much credit, and your explanation of the event in question is unnecessarily complex compared to the obvious and simple one. (Occam's Razor)
This is a guy who, even as you put it:
[...] was not being smart enough to cover their tracks better. If you're recently terminated AND you had access to the systems in question, you're going to be right at the top of their suspect list.
I see no reason to suggest that it is more likely that his actions were a part of some clandestine activism, as opposed to the simple explanation that he was angry with his former employer.
As a bit of a tangent, (not directed at you specifically to be clear, it just makes me think about it),
Re: (Score:2)
Why do people do post-firing hacking on their former employer?
Because these people are deeply stupid and think it is all only about them. Gigantic egos, rather small skills. Common occurrence these days.
There is no benefit to going psycho on people who are now your past.
Indeed. But it takes a rational mind and some pragmatism to see that. There are plenty of people that fail this test.
Adrenaline-induced anger not rational (Score:3)
Maybe you have a mellower temperament, but when a good portion of people are angry they are not thinking rationally. Reptilian fight-or-flight instincts kick in, and the urge to cause instant harm as retaliation is set to level 11.
When I get riled up I try to go for a jog or long walk to burn off excess energy caused by adrenaline. Plus the journey gives me time to mellow out and think clearer. (Passer-by's
Re: (Score:2)
> Maybe you have a mellower temperament
Lol, I've been called all sorts of things throughout my life but that's a first :-)
Seriously though, I've worked about a dozen startups, for the Feds, for the state, for huge and medium corporations. I've survived countless layoffs, office ninja'd my way out of one firing, been laid off several times as the startups went under, been fired once and rage quit twice. But at no time ever have I ever no matter how badly or unfairly I was sometimes treated ever once con
If anything this is managements fault! (Score:1)
Re:If anything this is managements fault! (Score:4, Interesting)
In 99.9% of cases you can make this fuckup and nothing will happen, because the vast majority of people are ethical and won't do anything even if their accounts are still valid. Leaving access open is EXTREMELY common.
As a consultant i often have temporary accounts to my customer's equipment, i've frequently received alerts weeks/months later, or gone back for another contract and found that consultant accounts (either mine or others) are still present for consultants who finished their work months or even years earlier, or that shared passwords have not been changed.
You can get away with this in 99.9% of cases, it's only in the 0.1% you accidentally hire someone who's crazy and they do something like the story mentions.
Trying to explain to people why this is a bad idea usually falls on deaf ears. Having a single shared password that everyone knows is a lot less work than managing individual accounts, and the extra cost is not considered worth it for the .1% risk.
Re: (Score:3)
The "new" IT guy who took over when I left, hated SSH Keys, so it's only p
Re:If anything this is managements fault! (Score:4, Insightful)
I always, as my last action, disabled my own account of I have access to do so, and request it be done if I don't.
It's not for their protection against me; it's for mine against them. I don't want to be a suspect if anything weird happens after I've left.
Re: (Score:2)
Exactly.
Re: (Score:2)
Whoever dropped the ball is just as liable as the guy who changed the menus.
Civil liability? Clearly. Maybe even more so.
Re: (Score:2)
Last week I reviewed an old VM that another guy was maintaining, the number of IPs in the rule lists for RDP, and SSH was head shaking. He kept adding his new IP, but never removing the old ones, and after 4+ years, there was a huge set
Fridge horror (Score:3)
Evil vs. Evil (Score:2)
Damn, we thought Disney was the worst but taking peanut allergy info off of menus is a real concentrated bit of evil.
One supposes this is Disney's available tech recruiting pool after what they paid Fritz Hollings to do?
Still, attacking innocents like this is on par with the neverending pedo ring stings at Disney.
Walt must be spinning in his cryogenic chamber.
I'd want a real source for this before buying it. (Score:2)
Re: (Score:1)
It is not hard to do something like this if you have access and maybe even worked on this before.
Re: (Score:2)
/o\ | \o/ (Score:1)
Once someone has been identified as a current or former Disney employee, is it redundant to note that they are disgruntled?
Not quite clever enough (Score:2)
Changing the font to Wingdings is amusing but it would be even funnier if the hacker used Comic Sans or... wait for it... Papyrus.
Re: (Score:2)