Fired Disney Employee Sentenced to Three Years in Prison for Hacking and Changing Menus

Fired Disney Employee Sentenced to Three Years in Prison for Hacking and Changing Menus

A former Disney employee has been sentenced to three years in prison for hacking into the company's servers to alter its restaurant menus, including falsifying allergen information and printing profane language.

Michael Scheuer, a Florida resident, was ordered to pay nearly $690,000 in restitution, with most of that going to Disney. He pled guilty in January to one count of computer fraud and one count of aggravated identity theft. Scheuer's lawyer, David Haas, said the defendant remains remorseful and apologetic to his former co-workers, but expressed gratitude that the judge heard all of their arguments and mitigation when fashioning a sentence.

Scheuer worked as a menu production manager for Disney and was fired last June for misconduct. He had access to secure internal servers for creating and publishing menus for all of Disney's restaurants as part of his job at the company. However, Disney identified and removed all altered menus before they were shipped to restaurants.

The company didn't immediately respond to CNN's request for comment, but Scheuer hacked into Disney's menu creation servers multiple times to manipulate and disrupt the menus, such as changing prices and adding profane language. He then made changes to the menus that "threatened public health and safety," including altering allergen information to indicate certain menu items with peanuts were peanut-free, posing a fatal risk to individuals with peanut allergies.

Disney employees discovered the disruption when Scheuer altered menu text fonts to become icon symbols, known as wingdings. This change was so substantial that it caused the Menu Creator system to become inoperable while the font changes were made to all of the menus. The company was also forced to take the Menu Creator application offline while they reverted to backups to regain the ability to operate.

The Department of Justice (DOJ) said in a press release last week that the "computer intrusions" also included altering "menu information related to wine regions to reflect locations of recent mass shootings." Additionally, Scheuer allegedly disabled employee accounts during his hacking campaigns. He locked at least 14 Disney employees out of their accounts by continually attempting to log on to their accounts with incorrect passwords. He also used a bot to attempt over 100,000 logins to their accounts, rendering them unusable.

The sentencing is a significant blow to Scheuer, who had access to sensitive information and used it for his own malicious purposes. The incident highlights the importance of cybersecurity measures in place at large organizations like Disney, as well as the need for employees to report any suspicious activity.