FBI: Fired Disney Employee Hacked Menu System To Alter Peanut Allergy Information

A disgruntled former Walt Disney World employee allegedly hacked Disney's menu system to alter allergy information.

The Federal Bureau of Investigation arrested Michael Scheuer, a past menu production manager after he allegedly used old passwords to get into Disney's menu system to alter peanut allergy information.

The FBI's affidavit, available on Court Listener, alleged that Scheuer, "knowingly causing the transmission of a program, information, code, or command to a protected computer and intentionally causing damage without authorization in excess of $5,000."

"I believe there is probable cause to believe that Scheuer knowingly and without authorization caused the transmission of a program, information, code, or command to a protected computer and intentionally caused damage," Timothy Callinan, a special agent of the Federal Bureau of Investigation who worked on the case, said in his affidavit.

Scheuer, who was terminated for misconduct, performed a series of online attacks on Disney World and his past co-workers by hacking into their work accounts and accessing valid credentials to download approved menus and altering them.

Scheuer allegedly accessed Disney's proprietary "Menu Creator" system multiple times without permission after he was let go.

He would allegedly manipulate different aspects of the menu such as fonts, prices and language details such as peanut allergy warnings.

The incidents took place between June 12 and September 23 and officials claim the alterations posed severe health risks to the public.

Disney World, referred to in court documents as "Company A," reported substantial disruptions to its operations, with damages estimated at $150,000.

Scheuer's actions forced Disney to take the menu system offline, reverting to manual processes and backups.

Scheuer is also accused of denial-of-service (DoS) attacks on 14 Disney employees, who allegedly played a role in his termination, repeatedly locking them out of their accounts.

The affidavit said that he developed a script to perform automated logon attempts and had "attempted over 100,000 logons to the victim accounts."

Evidence showed that Scheuer created a "dox" folder containing the employees' personal information.

Video from a Ring camera video showed him at the home of one of the victims. They said they had to stay at a hotel out of fear for their safety.