The fired Disney employee allegedly hacked into the company's system to change allergy information on menus

CNN
—

According to a federal criminal complaint filed in Florida, a fired Disney employee allegedly hacked into the company's servers to alter the restaurant's menus, including falsifying allergen information and printing profanities.

The lawsuit, filed Oct. 23 in the U.S. District Court for the Middle District of Florida, does not name Disney. However, David Haas, an attorney representing the suspect in the case, confirmed to CNN that Disney is the company involved in the complaint.

According to the complaint, Disney identified and removed all altered menus before sending them to restaurants.

The complaint was first reported by 404 Media and Court Watch.

Michael Scheuer, who worked as a menu production manager for Disney, was fired in June for misconduct, according to the complaint. According to the complaint, as part of his job at the company, Scheuer had access to secure internal servers and used them to create and publish menus for all Disney restaurants.

After his firing, Scheuer repeatedly hacked into the company's proprietary software that creates and distributes menus to Disney-operated restaurants, launching a months-long cyberattack campaign against the company and its employees.

Scheuer is said to have hacked into Disney's menu creation servers on multiple occasions in order to manipulate and disrupt the menus, for example by changing prices and adding profane expressions. Scheuer then made changes to the menus that “threatened public health and safety,” the complaint says. This included changing allergen information to indicate that certain menu items containing peanuts were peanut-free, posing a fatal risk to those with peanut allergies.

Scheuer denied wrongdoing and said Disney “tried to frame him” because they were concerned about the conditions under which he was fired, the complaint says.

Haas, a lawyer representing Michael Scheuer, told CNN that the allegations “recognize that no one was injured or harmed.”

Scheuer had a “mental disability” which, according to Haas, led to a panic attack at work. Scheuer was initially suspended and then fired. “Disney did not respond to his inquiries regarding his firing and subsequently filed a (Equal Employment Opportunity Commission) complaint. Complaint as an answer,” said Haas.

Disney and the U.S. Attorney's Office for the Middle District of Florida declined to comment.

In July, the company conducted an internal investigation and uncovered changes to its menu creation system that rendered all menus unusable, the complaint says. According to the complaint, Disney's menu creation system was compromised for one to two weeks and manual processes had to be used to correct the menus.

Disney employees discovered the glitch when Scheuer converted the fonts of menu texts into icon symbols called wingdings.

“This change was so extensive that it caused the Menu Creator system to become inoperable while the font changes were made to all menus,” the complaint states. “Company A was forced to take the Menu Creator application offline while it resorted to backups to restore operational capability.”

In addition, Scheuer is said to have deactivated employee accounts during his hacking campaigns. He is alleged to have locked out at least 14 Disney employees from their accounts by continually attempting to log into their accounts using incorrect passwords. Scheuer used a bot to make over 100,000 login attempts into her accounts, rendering them unusable, the complaint states.

According to the complaint, Scheuer also allegedly changed the QR codes on Disney menus to direct people to a website promoting boycotts of Israel-affiliated companies. Disney printed the altered QR codes, but identified them and removed them before sending them to restaurants, the complaint says.

Scheuer's cyberattacks cost Disney at least $150,000, the lawsuit says.