In a notable case highlighting cybercrime within corporate environments, former Disney employee Michael Scheuer has been sentenced to 36 months in prison and ordered to pay a hefty fine of nearly $688,000. His sentencing stems from a series of unauthorized alterations made to the software application that the entertainment giant relied upon to manage its restaurant menus.

Scheuer, a resident of Winter Garden, Florida, was apprehended in October 2024 and subsequently charged under the Computer Fraud and Abuse Act (CFAA) for illicitly accessing Disney's IT systems. He was also charged with aggravated identity theft. A criminal complaint was lodged in federal court in Orlando, Florida, and after entering a guilty plea in January, he faced sentencing just last week.

Before his termination on June 13, 2024, Scheuer held the position of Menu Production Manager at Disney. His firing was reported as contentious, indicating that the relationship between him and the company soured significantly before his exit.

According to a plea agreement provided by Scheuer, his retaliatory actions against Disney began shortly after his dismissal. He executed unauthorized modifications to the menus in Disney's Menu Creator application, which is hosted by a third-party vendor based in Minnesota. Notably, Scheuer replaced the specified fonts in the applications configuration files with the obscure Wingdings font.

The technical ramifications of these changes were severe. As described in the plea agreement, when the Menu Creator application attempted to fetch the correct font from the configuration file, it inadvertently retrieved the tampered font files instead. This error cascaded through the database, leading to each restaurant menu displaying a generic font instead of the themed fonts originally intended for each menu item. This disruption rendered the Menu Creator application inoperable for a period of one to two weeks, forcing Disney to cease its use of the application altogether.

To mitigate the damage from this cyber attack, Disney implemented stricter access controls on the application and reset various user passwords. Scheuer managed to exploit the system through multiple vectors. He initially used an administrative account to access the application via a commercial VPN service known as Mullvad. Notably, this VPN wasn't a mystery to investigators; the IP address associated with the attack corresponded with one that Scheuer had previously used to access his Disney email account.

Additionally, Scheuer utilized a URL-based access method that was available to contractors, further complicating the investigation. A third avenue of attack involved secure file transfer protocol (SFTP) servers controlled by the Menu Creator vendor, where he gained unauthorized administrative access to menu files meant for printing or display. Even after being locked out of the Menu Creator application, Scheuer managed to use this access to alter menus stored on the servers.

Among the changes made to the menus were potentially dangerous modifications to allergen information and pricing structures. Scheuer added misleading notations indicating that certain menu items were safe for individuals with allergies, a change that could have resulted in life-threatening consequences for unsuspecting customers. Other alterations included changing wine regions to areas associated with mass shooting incidents and even adding graphic images like a swastika to the menus.

In a separate but equally concerning attack, Scheuer manipulated QR codes on the menus to redirect users to a website promoting a boycott of Israel. Fortunately, while some of these altered menus were printed, they were reportedly intercepted before they could be distributed to customers.

Moreover, Scheuer engaged in denial of service (DoS) attacks aimed at disrupting the logging-in process for Disney employees. He deployed an automated script that executed over 100,000 incorrect login attempts, effectively locking fourteen employees out of their accounts.

The investigation escalated when the FBI executed a search warrant at Scheuer's residence on September 23, 2024. Intriguingly, the DoS attacks ceased just moments before federal agents made contact with him, and they have not resumed since the seizure of his computer. During the search, agents discovered various virtual machines utilized for the attacks, as well as a doxxing file containing personal information about five Disney employees and the mother of one of these individuals.

Upon completion of his prison sentence, Scheuer will face an additional three years of supervised release. This period will include various conditions such as a ban on any contact with Disney or the individuals affected by his actions. This case serves as a stark reminder of the vulnerabilities that exist within even the largest and most technologically advanced organizations.