Disney worker who hacked menus gets 3 years in prison

https://www.nytimes.com/2025/04/26/us/disney-worker-prison-hacking.html

21•jseip•10h ago

Comments

mattl•10h ago

Changing prices and adding profanity is one thing but when you alter the allergens on a menu you put people’s lives at risk.

sega_sai•9h ago

From the article: "None of the changes, including falsified information about food allergens that could have been harmful to visitors, ever appeared before the public, according to court records."

EA-3167•9h ago

It was caught through review, and the defense claimed that he knew that would be the case and therefore he put no one at risk. I'd argue that systems can fail, review can fail, and if that happened people could have died. Giving him credit for that seems absurd, and his claim that he just wanted attention is equally absurd. If you just want attention the profanity and price changes would achieve that.

Regardless he wasn't convicted of any crime related to potential harm to customers, he was convicted for hacking and identity theft.

SoftTalker•9h ago

And probably only because Disney was his target and could pay a technical team unlimited money to investigate and spoon-feed the FBI and prosecutor everything they needed. A smaller chain or independent bar/restaurant would not have even gotten the time of day with a complaint about someone changing prices on a menu. And they would have been the ones in court defending any claims of injury due to undisclosed allergens, with only a vague claim of "our menu must have been hacked."

sokoloff•9h ago

> he just wanted attention

Achievement unlocked.

erickhill•9h ago

This is a dupe of an earlier submission https://news.ycombinator.com/item?id=43811864

shadowgovt•9h ago

What credentials / access did he use to get into Disney's system after he was terminated?

squiffsquiff•3h ago

Scheuer allegedly went into action quickly following his termination, and by early July was said to have used his work credentials, which still functioned after his termination, to access the menu creation system Disney contracted another company to create and change all the fonts in the system to wingdings symbols.

https://www.theregister.com/2024/10/30/fired_disney_employee...

shadowgovt•1h ago

Okay. So while jail is probably appropriate given the potential threat of harm if nobody had reviewed the menus prior to their publication with the allergens stripped...

The tech community should not let Disney off the hook for failing to scrub the access credentials of a terminated employee. Because the law can punish one actor, but if the attack vector is still open, the public isn't safe from future more subtle incidents of menu manipulation (or other similar attacks by other disgruntled employees).

Is there any information on what Disney did after this incident to prevent another Scheuer in the future? The root of the attack is that the sFTP system was accessible via "credentials [that] were non-individualized, not specific to a particular user, and available for use by multiple employees with administrative access."

(I'm also a little unclear on whether this was all owned by Disney proper or they were farming this out to a third-party service provider company and that company screwed up. With so many entertainment venues in such a small area, Orlando is positively shot through with high-volume, hyper-focused service provider companies that do stuff like this).

b8•9h ago

The restitution seems too high. He probably was fired for going on mat leave as other companies have shown to do and wanted payback. The "unspecified misconduct" firing reason seems weird and they won't expand on it.

geor9e•8h ago

Disney is quite famous for its strict allergen handling, to the point where people with deadly allergies who don't trust eating out anywhere else make an exception for Disney restaurants. So, were it not for this mass murder attempt, he probably would have gotten off a lot more lightly for some mischief charges.

Internet in a Box

New material gives copper superalloy-like strength

Show HN: I made a web-based, free alternative to Screen Studio

How a single line of code could brick your iPhone

Read the Obits

AI Helps Find a Cause of Alzheimer's Disease and Identify Therapeutic Candidate

Show HN: I486SX_soft_FPU – Software FPU Emulator for NetBSD 10 on 486SX

I just want to code (2023)

The suburban office park that launched Silicon Valley

Did 5G kill the IMSI catcher?

How a Pipe Organ Works (2020)

Computer Architects Can't Find the Average

Reverse geocoding is hard

Restoring a Sinclair C5

The coming knowledge-work supply-chain crisis

Virginia passes law to enforce maximum vehicle speeds for repeat speeders

Shardines: SQLite3 Database-per-Tenant with ActiveRecord

Cut: Chattanooga Civic User Testing

Business co-founders in tech startups are less valuable than they think

Tiny Emulators

Show HN: Daily Jailbreak – Prompt Engineer's Wordle

ZFS: Apple's new filesystem that wasn't (2016)

Libogc (Wii homebrew library) discovered to contain code stolen from RTEMS

Ask HN: CS Degrees, do they matter again?

Extend (YC W23) is hiring engineers to build LLM document processing

Show HN: I created snapDOM to capture DOM nodes as images with exceptional speed

Show HN: Bhvr, a Bun and Hono and Vite and React Starter

TmuxAI: AI-Powered, Non-Intrusive Terminal Assistant

In Memoriam: SF and Fine Artist David Schleinkofer

Boxie – an always offline audio player for my 3 year old