Former Disney employee Michael Scheuer, based in Orlando, has pleaded guilty to a series of cyberattacks targeting a restaurant menu management system following his termination. Scheuer’s actions could have had grave consequences for restaurant patrons, including potential threats to life due to altered allergen information in menu items.
Scheuer, who previously held the position of menu production manager, carried out multiple attacks over three months after his dismissal. His actions included falsifying dish information, providing misleading safety data for individuals with allergies, replacing fonts with illegible symbols, and inserting profanity. One particularly shocking incident involved altering the wine origin information, replacing legitimate regions with references to sites of mass tragedies. He also added swastika images to the menus.
Using his former credentials, Scheuer gained unauthorized access to the internal system. Additionally, he launched DDoS attacks, disabling the accounts of at least 14 employees. This was accomplished through a script that made approximately 7,934 login attempts on the corporate system. Furthermore, Scheuer leaked login credentials for the menu management system on the dark web, creating further security risks.
The company was forced to respond swiftly to mitigate the incidents, disabling the system and restoring data from backups. During this period, staff had to revert to manual menu processes, significantly slowing operations. According to company representatives, the altered menus never reached the restaurants, thus averting harm to patrons. However, the breach caused widespread concern, particularly in light of a recent lawsuit regarding the death of a restaurant guest linked to a server’s error about allergens in a dish.
Scheuer also retained personal data belonging to several employees, including their home addresses and phone numbers. In one alarming instance, he appeared at an employee’s residence during the night. These actions further compounded the charges against him.
The defendant’s attorney stated that Scheuer fully acknowledges his wrongdoing and is prepared to accept the consequences. According to the lawyer, Scheuer struggled with mental health issues exacerbated by his dismissal, which occurred shortly after he returned from parental leave. This added stress, the attorney argued, may have triggered the cyberattacks. Scheuer has agreed to pay restitution to Disney and a fine to the state.
Although Disney is not explicitly named in court documents, it is identified as a “media and entertainment company operating in Central Florida.” Scheuer faces a maximum sentence of up to 10 years in prison for the cyberattacks, with an additional minimum of 2 years for identity theft. The sentencing date has yet to be scheduled. Scheuer has also consented to forfeit the computer used in the attacks to the state.
