Gabrielle Russon
A fired Disney World employee is accused of hacking into an online system and altering Disney World restaurant menus by changing fonts and prices, adding profanity and manipulating the food allergy warnings, according to new federal documents.
The cyberattack caused at least $150,000 in damage and has gotten the FBI involved. Disney printed the wrong menus but realized the mistake in time. The menus were not sent to restaurants or distributed to the public.
A criminal complaint against Michael Scheuer was filed last week in U.S. District Court’s Orlando division. He was arrested on Oct. 23.
“The allegations acknowledge that no one was injured or harmed. I look forward to vigorously presenting my client’s side of the story,” Scheuer’s attorney, David Haas, said in a Wednesday comment to Florida Politics.
Court Watch, in collaboration with 404 Media, was the first media outlet to report about the federal court filing.
According to the criminal complaint, authorities said Scheuer hacked into Menu Creator, which is run by a third-party Minnesota company that creates menus used only for Disney World restaurants.
Scheuer worked as a menu production manager until he was fired on June 13 for misconduct.
“Scheuer’s firing was contentious and was not considered to be amicable,” read the criminal complaint, which did not go into details into the situation.
Over the next three months, Disney became the victim “of multiple computer intrusions into servers associated with the Menu Creator program,” the complaint said. “Scheuer had intimate knowledge of the system architecture, the menu processing workflow, and potential vulnerabilities within the system. Only employees in Scheuer’s position or a position similar to Scheuer would have the accesses and knowledge to carry out the attacks.”
What tipped Disney off was that some of the fonts in Menu Creator had been changed to wingdings, the font made up of symbols.
The changes caused problems in Menu Creator, so it was offline temporarily, causing problems for Disney.
Authorities described some of the menu changes as “benign,” such as different prices or profanity suddenly appearing. Other changes were more serious and could have put people’s health at risk.
“Namely, the threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies,” the criminal complaint said.
The FBI tracked an IP address connected to the cyberattack to Scheuer’s computer with a private network installed on it.
Scheuer is accused of a disruption to the system and attempting over 100,000 logins, according to the criminal complaint.
They seized Scheuer’s computers and found a “dox” folder and personal identifiable information for the victims of his denial-of-service attacks.
“Namely, the multiple incorrect logon attempts would cause an account to lockdown and thus render the corporate accounts unusable until the attacks subsided and the passwords could be reset,” the complaint said.
Scheuer said Disney was trying to frame him “because they were worried about him and the conditions under which he was terminated,” the criminal complaint says.
Disney World did not respond to a request for comment Wednesday. The U.S. Attorney’s Office for the Middle District of Florida declined to comment.
The court documents that bring up the public health concerns over food allergies at Disney World come after a woman died in an unrelated incident from her severe food allergies after eating at a Disney Springs restaurant in 2023.
Florida Politics broke the story that Disney World and an independently-run restaurant Raglan Road Irish Pub and Restaurant were being sued by the widower. The lawsuit led to a wave of international bad publicity for Disney after it tried to force the case in arbitration using its terms and conditions from Disney+ and its theme park app.
Scams, unfortunately, happen even at the Most Magical Place on Earth.
In 2018, Disney World’s Governing Board fell victim to an email phishing scheme that cost the Board $100,000 when an employee sent money to a fake landscaping vendor who emailed her.
