By Jason Koebler
This article was produced in collaboration with 404 Media, a new independent technology investigations site.
A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World’s restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.
The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems.
“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies,” the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants.
Disney is not named in the complaint itself, but 404 Media has confirmed with Scheuer’s lawyer and by cross-referencing facts in the complaint that Disney is the company in question.
According to the complaint, Disney contracted a company (listed as “Company B”) to build a “Menu Creator” software that is proprietary only to Disney and is used for food inventory management, menu creation and printing, and pricing. The complaint alleges that Scheuer repeatedly “manipulated the menus” to change prices and add profanity, but also “made several menu changes that threatened public health and safety” by changing peanut allergy information. It alleges that he initially used login credentials he had from his time at Disney, then later broke into Company B’s FTP servers using separate logins after Disney reset login passwords to the Menu Creator program.
Employees at Disney initially became aware of the intrusion because all of the fonts in the menu creator program were changed to wingdings.
Employees “noticed that all of the fonts in the application had been replaced by fonts that depicted symbols, also known as wingdings. The fonts were renamed by the threat actor to maintain the name of the original font, but the actual characters appeared as symbols. When launched, Menu Creator reached out to the configuration files to retrieve what it believed to be the correct font, instead, it retrieved the altered font files. As a result of this change, all of the menus within the database were unusable because the font changes propagated throughout the database. Further, this change was so substantial that it caused the Menu Creator system to become inoperable while the font changes were made to all of the menus. Company A was forced to take the Menu Creator application offline while they reverted to backups to regain the ability to operate. As a result of this attack, the Menu Creator system was impacted for a period of 1-2 weeks. Manual processes had to be implemented to account for the issues with Menu Creator,” states the complaint.
After that incident, Disney reset Menu Creator login passwords. The complaint then alleges that Scheuer broke into several of Company B’s FTP servers which served as print queues for Disney menus, and uploaded files that were made to look identical to real Disney menus but which had been slightly altered. It states that Disney “identified menus that were printed from [the FTP server] with the altered allergen information and pricing changes. More specifically, the threat actor added notations to menu items indicating they were safe for people with specific allergies, which has potentially fatal consequences depending on the severity of the customers’ allergies. It is believed these menus were identified and isolated by [Disney] prior to being shipped out to restaurants and were not distributed further.” On a separate occasion, Scheuer allegedly broke into a separate FTP server used to print big menus that “would be displayed on large boards for viewing outside of the respective restaurant.” On these menus, he allegedly altered QR codes that were supposed to go to the menu and had them redirect to the website boycott-israel.org.
Scheuer also allegedly locked at least 14 Disney employees out of their Disney accounts by trying to log into Disney’s online account system thousands of times with a script, maintained a folder of personal information about four employees’ homes, phone numbers, and relatives, and showed up at one of the victim’s homes at night, the complaint says.
The criminal complaint does not name Disney, but involves what it calls “Company A,” a “media and entertainment company operating in the Middle District of Florida” (Disney is based in this district). The complaint notes that Scheuer tried to login to employees’ accounts at wdpr.service-now.com, which is the login portal for the Walt Disney company. Scheuer’s LinkedIn lists him as having worked at Disney during dates that align with those in the criminal complaint. 404 Media asked David Haas, a lawyer representing Scheuer, if anyone had gotten sick at Disney as a result of the activities alleged in the complaint. Haas said “the criminal complaint itself states that no one was sick or injured as no menus were used in the parks. Other than that, I have no comment on the allegations against my client.”
Disney is currently—and separately—being sued by a Disney World guest whose wife died after suffering a fatal allergic reaction in what has become an incredibly high profile case because Disney initially tried to get the wrongful death case thrown out because of a forced arbitration clause in its Disney+ terms of service. This menu-hacking case is completely separate, with the alleged intrusions happening months after that patron died.
The Department of Justice declined to comment. Disney did not respond to a request for comment.
Reply