A fired Disney World employee must spend three years in federal prison and pay almost $700,000 after he hacked into software used by Disney restaurants to falsely show certain food items didn’t contain peanuts and other allergens.
Michael Scheuer, 40, of Winter Garden, was sentenced Wednesday in U.S. District Court for the Middle District of Florida after pleading guilty in January to one count of computer fraud and one count of aggravated identity theft as part of his deal with prosecutors, according to a U.S. Department of Justice news release announcing the sentencing Thursday. He must also forfeit the computer he used in the offenses and pay $687,776 in restitution to victims.
He was a menu production manager for Disney before he was terminated for misconduct in June, according to a criminal complaint filed in federal court. Disney no longer uses the Menu Creator software he hacked.
False information on food allergies could have deadly consequences, but it’s believed all of the altered menus were found before being shipped to restaurants.
Scheuer was arrested in October after an FBI investigation. Court records don’t mention Disney World by name, but Scheuer’s lawyer, David Haas, said in a statement to the Orlando Sentinel at the time of the arrest that Scheuer had been employed there.
In his plea agreement, Scheuer admitted to breaching the company’s software several times from around July to September. Most notably, Scheuer added notations to certain menu items falsely indicating they were safe for people with specific allergies such as to peanuts, tree nuts, shellfish and milk, according to the agreement.
Scheuer also changed wine regions on wine menus to areas that had recently suffered mass shootings, imbedded or added a swastika to at least one menu and changed menu QR codes to direct patrons to a website that urged boycotting Israeli companies and those with significant activities there, the agreement shows.
In addition, he blocked 14 Disney employees — including some former coworkers — from their company accounts through denial-of-service attacks, records show. The accounts were set to lock after too many failed login attempts and he used a script to make automated attempts totaling over 100,000. The criminal complaint against him said some of the targeted employees were involved in his firing.
After an internal investigation, Disney flagged him to the FBI as a potential suspect. The agency executed a search warrant at Scheuer’s residence in September and seized several electronic devices, records show. He initially denied involvement in the cyberattacks and said the company was trying to frame him, according to the complaint.
The FBI discovered he’d collected personal information about four employees targeted in the cyberattack that included phone numbers, email addresses, physical addresses, and names of family members and relatives, the complaint says.
The night before his arrest, Scheuer drove to the home of one of the targeted employees shortly before 11 p.m., walked to the front door and gave a thumbs up to the Ring doorbell camera before leaving, according to the plea deal. As a result, the employee left his residence and was placed in a hotel by Disney.