3 days Ago By Thomas Claburn
Former Disney employee Michael Scheuer was sentenced to 36 months in prison and fined almost $688,000 for screwing up a software application the entertainment giant used to cook up its restaurant menus. Scheuer, a resident of Winter Garden, Florida, was arrested in October and charged with breaking America's Computer Fraud and Abuse Act (CFAA) for accessing Disney IT systems without authorization, and with aggravated identity theft. A criminal complaint [PDF] was filed in federal court in Orlando, Florida.
And the court accepted Scheuer's agreement to plead guilty to the CFAA and identity theft charges in January. Sentencing occurred last week. Scheuer served as the Menu Production Manager for Disney prior to being fired on June 13, 2024, for misconduct.
According to Disney, the termination was contentious and not amicable. In July, as described in his guilty plea agreement [PDF], Scheuer retaliated against the media powerhouse by making unauthorized changes to Disney restaurant menus through its Menu Creator application, hosted by an unidentified third-party based in Minnesota. The changes included the replacement of fonts specified by the Menu Creator configuration file with Wingdings .
"When launched Menu Creator reached out to the configuration file to retrieve what it believed to be the correct font; instead it retrieved the altered font files," the plea agreement explains. "These font changes propagated throughout the database resulting in each menu displaying the same generic font as opposed to the themed fonts applied to each menu. Further, this caused the Menu Creator system to become inoperable while the font changes were pushed to all of the menus.
" Scheuer also made changes to menu images and background files, such that they loaded as blank white pages. The app was down for one to two weeks for repairs and Disney no longer uses it. To put an end to this initial attack, the animation titan limited access to the app and reset passwords.
Scheuer was able to attack the app three ways: One, by using an administrative account, accessing it through a commercial VPN called Mullvad; and two, using a URL-based access mechanism that was made available to contractors. The use of a Mullvad VPN wasn't particularly confounding for investigators. The plea agreement observes, "The IP address used in this attack was from the same IP range that Scheuer used to logon to his [Disney] email account in the past, which was also a Mullvad IP address.
" A third approach involved targeting secure file transfer protocol (SFTP) servers maintained by the unidentified Menu Creator vendor to store menu files ready for printing or display on a menu screen. During an initial intrusion, Scheuer gained administrative access on the SFTP servers. And after being locked out of the Menu Creator app, he was able to use that access to alter the menus stored on the file server.
"Among the changes made by Scheuer to the menus were changes to allergen information and pricing," the plea agreement says. "As to the former, Scheuer added notations to menu items indicating they were safe for people with specific allergies, which could have had fatal consequences depending on the type and severity of a customer's allergy." Other alterations included changing the wine regions to areas associated with mass shootings and the addition of graphics including a swastika.
A subsequent round of attacks on a different SFTP server involved altering QR codes on menus to load a website promoting a boycott of Israel. The plea agreement indicates that while some of these altered menus were printed, it's believed all were all caught before they were distributed. Scheuer also conducted denial of service (DoS) attacks intended to prevent Disney employees from logging in to their enterprise accounts.
He ran an automated attack script that made more than 100,000 incorrect login attempts in an effort to have the accounts locked down. Fourteen employees are said to have been affected in this way. The court filing says the FBI served a warrant to search Scheuer's residence on September 23, 2024, "and the DoS attacks ceased minutes before the agents first made contact with Scheuer and have not restarted since the seizure of his computer.
" Agents report finding various virtual machines used to conduct the attacks and a doxxing file containing personal information on five Disney employees and the mother of one of these workers. At the end of his imprisonment, Scheuer faces three years of supervised release with various conditions including a ban on contact with the corporation and individual victims. ®.
