Skip to content(if available)orjump to list(if available)

Disney worker who hacked menus gets 3 years in prison

Disney worker who hacked menus gets 3 years in prison

11 comments

·April 27, 2025
Visit

erickhill

This is a dupe of an earlier submission https://news.ycombinator.com/item?id=43811864

b8

The restitution seems too high. He probably was fired for going on mat leave as other companies have shown to do and wanted payback. The "unspecified misconduct" firing reason seems weird and they won't expand on it.

geor9e

Disney is quite famous for its strict allergen handling, to the point where people with deadly allergies who don't trust eating out anywhere else make an exception for Disney restaurants. So, were it not for this mass murder attempt, he probably would have gotten off a lot more lightly for some mischief charges.

mattl

Changing prices and adding profanity is one thing but when you alter the allergens on a menu you put people’s lives at risk.

sega_sai

From the article: "None of the changes, including falsified information about food allergens that could have been harmful to visitors, ever appeared before the public, according to court records."

EA-3167

It was caught through review, and the defense claimed that he knew that would be the case and therefore he put no one at risk. I'd argue that systems can fail, review can fail, and if that happened people could have died. Giving him credit for that seems absurd, and his claim that he just wanted attention is equally absurd. If you just want attention the profanity and price changes would achieve that.

Regardless he wasn't convicted of any crime related to potential harm to customers, he was convicted for hacking and identity theft.

SoftTalker

And probably only because Disney was his target and could pay a technical team unlimited money to investigate and spoon-feed the FBI and prosecutor everything they needed. A smaller chain or independent bar/restaurant would not have even gotten the time of day with a complaint about someone changing prices on a menu. And they would have been the ones in court defending any claims of injury due to undisclosed allergens, with only a vague claim of "our menu must have been hacked."

sokoloff

> he just wanted attention

Achievement unlocked.

shadowgovt

What credentials / access did he use to get into Disney's system after he was terminated?

squiffsquiff

Scheuer allegedly went into action quickly following his termination, and by early July was said to have used his work credentials, which still functioned after his termination, to access the menu creation system Disney contracted another company to create and change all the fonts in the system to wingdings symbols.

https://www.theregister.com/2024/10/30/fired_disney_employee...

shadowgovt

Okay. So while jail is probably appropriate given the potential threat of harm if nobody had reviewed the menus prior to their publication with the allergens stripped...

The tech community should not let Disney off the hook for failing to scrub the access credentials of a terminated employee. Because the law can punish one actor, but if the attack vector is still open, the public isn't safe from future more subtle incidents of menu manipulation (or other similar attacks by other disgruntled employees).

Is there any information on what Disney did after this incident to prevent another Scheuer in the future? The root of the attack is that the sFTP system was accessible via "credentials [that] were non-individualized, not specific to a particular user, and available for use by multiple employees with administrative access."

(I'm also a little unclear on whether this was all owned by Disney proper or they were farming this out to a third-party service provider company and that company screwed up. With so many entertainment venues in such a small area, Orlando is positively shot through with high-volume, hyper-focused service provider companies that do stuff like this).