Why you should always offboard outgoing staff: A disgruntled ex-Disney employee targeted former colleagues with DDoS attacks and hacked its menu system to change peanut allergen information

A former Disney employee faces federal cyber crime charges after being accused of hacking into the entertainment giant’s menu system.

The disgruntled ex-menu production manager, Michael Scheuer, was fired in June for alleged misconduct, but is now charged with attempting to mislabel menu items, hiding the fact they contained peanuts.

“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies,” the complaint alleged.

As well as using his existing access to alter allergy information on Disney menus to endanger diners, he is accused of launching cyber attacks on fellow Disney employees.

According to a federal complaint, Scheuer tried to lock 14 Disney employees out of their accounts by repeatedly entering incorrect passwords. The individuals targeted had all interacted with Scheuer in some capacity or were members of upper-level management.

Scheuer is also accused of launching DDoS attacks against four employees, and he is also accused of collecting sensitive information related to Disney employees.

Federal agents raided Scheuer’s home in late September, seizing four personal computers, and found a folder labeled ‘dox’ which included PII relating to the targets of his DDoS attacks.

“There is probable cause to believe that Scheuer is actively a danger to one or more of the victims of his denial of service attacks,” the complaint added.

Disney incident shows why you should always be wary of insider threats

Disney confirmed that the altered menus were caught before being distributed to restaurant guests, but the incident underscores the dangers posed by former employees who still have access to corporate networks.

In June 2024, a disgruntled ex-employee deleted 180 virtual servers from his former employer’s corporate environment after being dismissed from his role.

The Singaporean resident, Kandula Nagaruaju, incurred damages of $918,000 Singaporean dollars (~£534,000) for the IT firm NCS , and was sentenced to two years and eight months in jail.

Speaking to ITPro, Damian Garcia, head of GRC consultancy at IT Governance Ltd, said the Disney incident is the latest example of how dangerous insider threats can be to an organization, their employees, and customers.

“This incident shows just how serious insider threats can get – a former employee using their access to cause intentional, life-threatening harm,” Garcia said.

“It highlights the real danger of not revoking access right away after a difficult departure. Situations like this make it clear that insider threats aren’t just about financial loss or reputation – they can be a matter of life and death.”

Rhaul Tyagi, CEO and founder of security firm SECQAL, echoed Garcia’s comments, telling ITPro that in addition to the danger to customers, the incident will have also caused significant business disruption and put employee’s at risk too.

“Beyond this threat to life, the incident also led to customer-facing business disruptions, with employees locked out of critical operational systems. The hacker is also reported to have stolen the personal information of other employees,” he added.

“This case underscores how even the most seemingly innocuous systems or data can be weaponized by malicious insiders. While trust is an essential part of the employee-employer relationship, organizations can no longer rely on goodwill alone. Proactive technical safeguards are crucial to mitigate the risks posed by company leavers.”

Garcia said companies can protect themselves from insider threats by reassessing their offboarding process.

“To guard against such threats, organizations must have strong offboarding procedures in place, revoking access as soon as someone leaves, especially in high-risk cases,” he explained.

Access should also be “strictly limited” based on specific job roles, Garcia said. In doing this, organizations can ensure employees only have essential permissions.

Continuous monitoring is another recommended approach. By monitoring for unusual behavior, like login attempts at odd hours or unexpected data transfers, security teams can flag potential threats before they escalate.

Garcia added that building a stronger understanding of how staff members can become a threat to your organization is vital to prevent it happening in the future.

“A deeper understanding of why employees turn malicious is also essential. Often, disgruntled or unhappy employees – particularly those with technical knowledge and skills – pose the highest risk,” he said.

“Monitoring satisfaction and performance, especially for staff in critical roles, can help identify issues early and reduce the chance of internal sabotage.”