Former Disney Cast Member Sentenced to Prison for Hacking Company's Allergy Menu System
A former Walt Disney World cast member has been sentenced to prison for hacking into the company's internal allergy menu system and altering critical safety information about food served at the resort. Michael Scheuer, a 35-year-old former employee, was handed three years in federal prison on Wednesday after pleading guilty to knowingly dispatching unapproved commands to a protected computer and committing aggravated identity misuse.
As part of his plea deal, U.S. District Judge Julie Sneed also ordered Scheuer to forfeit his computer equipment and pay $687,776.50 in restitution to the victims. The judge's order came after authorities revealed that Scheuer had retained access to the company's internal menu system on his personal devices for months following his termination in June 2024.
Scheuer's hacking activities were particularly egregious, with the former Disney employee manipulating allergen information on the resort's menu to make certain foods appear safe for guests with peanut allergies when they were in fact dangerous to consume. This could have resulted in guests with severe allergies being put at serious risk of anaphylaxis or other life-threatening reactions.
In addition to altering food safety information, Scheuer also changed information on Disney's beverage list, swapping out regional origins of certain wines for locations where national tragedies have recently occurred. He also reportedly added offensive symbols to menus and obstructed access to the company's internal accounts through a denial-of-service (DOS) cyberattack.
But what was perhaps most disturbing was Scheuer's brazen move of visiting the home of a cast member who was impacted by his actions and giving a thumbs-up hand gesture to a security camera outside the residence before leaving. Disney responded by booking a hotel for the targeted employee and providing security at the location.
The FBI's Tampa division got involved in the case, sending agents to Scheuer's residence where he was raided and his electronics seized. "Formidable relationships with the private sector are a pillar of the FBI's Cyber Strategy," said Special Agent in Charge Matthew Fodor. "Through the strength in our partnerships, our Cyber Task Force swiftly identified Mr. Scheuer and disrupted his ability to continue threatening the public."
Despite the severity of the allegations, Scheuer's lawyer stressed that "no one was physically harmed" as a result of the hacking activities. Disney has since stopped using the third-party menu management application that Scheuer hacked and is now moving towards a manual approval process while it waits for a new, more secure platform to be developed.
The case highlights the importance of cybersecurity in the private sector and the need for robust partnerships between law enforcement agencies and companies like Disney. As Special Agent Fodor noted, "We are committed to safeguarding a robust Cyber Strategy to unmask malicious cyber actors to ensure justice is served."
The Impact on Victims
The victims of Scheuer's hacking activities include guests with peanut allergies who were misled about the safety of certain foods. While no one was physically harmed, the experience could have had severe consequences for those affected.
Disney has taken steps to prevent such incidents in the future by implementing a new security protocol and working closely with law enforcement agencies like the FBI's Tampa division. The company is also providing support to cast members who were impacted by Scheuer's actions.
The Future of Cybersecurity at Disney
Disney has acknowledged that it was breached by Scheuer's hacking activities and is taking steps to improve its cybersecurity measures. The company has stopped using the third-party menu management application that was compromised and is now moving towards a manual approval process while it waits for a new, more secure platform to be developed.
"We take the security of our guests' information very seriously," said a Disney spokesperson. "We are committed to ensuring that our systems are protected from malicious actors like Mr. Scheuer."