The Disney brand has long cultivated an image of magic and wonder. However, this image has yet to materialize any magical effects in reality. For example, people still suffer from food allergies while visiting Disney’s various parks.

This makes it especially dangerous that a former Disney employee was allegedly still able to access a specialized menu-planning app and make alterations, like changing prices, adding language that Disney certainly would not approve of, switching text to the unintelligible “Wingdings” font, and worst of all… changing menu information.

More specifically, as an agent with the Federal Bureau of Investigation put it in the official complaint:

“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies.”

There’s nothing quite like lethal anaphylaxis to make a family vacation memorable, right?

Fortunately, Disney caught the issue before any altered menus were distributed to their restaurants, and investigators have found no evidence that a customer ever saw them.

Furthermore, there is no indication that these events are in any way related to the October 2023 death in a Disney-owned restaurant after allergens were ingested.

How Did These Changes Happen?

Simply put, someone had permissions that they shouldn’t have.

According to the FBI complaint, the accused—former Disney employee and menu production manager Michael Schuer—allegedly used his existing Disney credentials to access the menu-planning app and make the above changes while using other old logins to access the app developer’s server.

However, once the Wingdings appeared, other Disney employees caught the issue and took the app offline… but not before many employee accounts had been locked due to the accused allegedly utilizing scripts to automate logins, meaning that over a dozen employee accounts exceeded their acceptable number of login attempts.

The complete criminal complaint offers more details about this event and the inciting attacks.

The Moral of the Story: Pay Closer Attention to User Permissions

This entire situation could have been avoided if the alleged perpetrator’s access had been appropriately removed once his employment was terminated. However, that one oversight allowed this potentially very dangerous attack to progress as much as it did.

While we don’t ask this to frighten you, it needs to be asked: when was the last time you checked who can access what in your business?

You may be surprised by what you find. It can be too easy to overlook deleting a user’s profile if they leave the company, and it can be even easier for these profiles to have more access than they need. This is precisely why the Principle of Least Privilege—restricting everything to only those who require it for their day-to-day responsibilities—is so critical.

After all, once someone leaves your company, they no longer need any of your data and should not be able to access it.

Dresner Group can help you evaluate and audit your business’ permissions, making it more secure by reducing the number of ways a cybercriminal could use to get in… and yes, a former employee with an ax to grind counts. Give us a call at (410) 531-6727 to learn more.