A former Walt Disney World employee who hacked the company’s digital menu system and tampered with allergen information — falsely labeling peanut-containing items as safe — was sentenced to prison on April 24.
The tampering posed potentially life-threatening risks to allergy sufferers and exposed significant vulnerabilities in food safety cybersecurity.
Michael Scheuer, 41, of Winter Garden, FL, was sentenced to 36 months in prison and ordered to pay $687,776 in restitution, with approximately $620,000 going to Disney and $70,000 to the third-party software provider for the Menu Creator system. Scheuer, terminated by Disney for misconduct on June 13, 2024, following a mental health-related incident that led to an Equal Employment Opportunity Commission (EEOC) complaint against Disney, began attacking the company’s proprietary Menu Creator software in July.
Scheuer altered allergen data to falsely claim items were free of peanuts, tree nuts, shellfish and milk, changed fonts to unreadable Wingdings, inserted profanity, manipulated QR codes to redirect to an activist website, renamed wine regions after mass shooting sites, and embedded a swastika graphic in a menu. The sabotage rendered the system inoperable for more than a week, with some estimates suggesting up to two weeks, forcing Disney to revert to backups.
The incident also exposed Disney’s failure to promptly revoke Scheuer’s system access. Disney intercepted the altered menus before distribution, preventing harm to diners.
Coordinated attacks extended to employees
Scheuer also launched denial-of-service (DoS) attacks on 14 Disney employees, many of whom had prior interactions with him, locking them out of their accounts through more than 100,000 automated incorrect login attempts. During a search of his home on Sept. 23, 2024, FBI agents found virtual machines and a folder containing personal data for four targeted employees and a relative.
On the evening of Oct. 22, 2024, after learning of a Google account search warrant, Scheuer was caught on a Ring doorbell camera at a victim’s home, reading a package label and giving a thumbs-up, which investigators interpreted as potential intimidation, prompting Disney to relocate the employee for safety.
Food safety risks in the digital era
Peanut allergies affect about 2 percent of U.S. children and can cause anaphylaxis, a potentially fatal reaction. Though no injuries were reported, Disney estimated direct damages of at least $150,000. The company has discontinued the third-party Menu Creator system and is transitioning to a new, more secure system while relying on manual processes in the interim.
The incident has prompted experts to call for stronger cybersecurity in food service, particularly for systems handling allergen information, emphasizing better access controls and immediate credential revocation for terminated employees.
Sentencing and broader implications
Scheuer pleaded guilty on Jan. 29 of this year in U.S. District Court for the Middle District of Florida to one count of computer fraud and one count of aggravated identity theft. On April 24, Judge Julie Sneed sentenced him to 36 months in prison, three years of supervised release with conditions barring contact with Disney or victims, accessing certain systems, or engaging in similar cyber activities, and $687,776 in restitution. “Scheuer is remorseful,” said his attorney, David Haas, noting his client’s mental health challenges and family responsibilities.
Investigators linked the cyberattacks to Scheuer through IP logs tied to his use of Mullvad VPN, the same service used for his Disney email account. The DoS attacks stopped within minutes of FBI agents initiating contact during the September search.
(To sign up for a free subscription to Food Safety News, click here.)
