Michael Scheuer, a former menu production manager at Disney, is accused of launching a cyberattack on his former employer.

After his termination on June 13, 2024, Scheuer allegedly launched a series of cyberattacks against Disney from June to September 2024.

Leveraging his knowledge of Disney's systems, he targeted the company's proprietary menu creation system, secure file transfer servers, and employee accounts.

Scheuer's alleged actions included:

• Infiltrating the "Menu Creator" system and replacing all fonts with symbols, rendering the system inoperable.
• Accessing secure file transfer servers to download, alter, and re-upload legitimate menus.
• Adding false allergen information to menus, indicating that certain items were safe for individuals with peanut allergies when they were not.
• Manipulating QR codes on digital menu boards to redirect customers to an unrelated website.

The most concerning aspect was the alteration of allergen information, which could have had potentially fatal consequences for customers with severe allergies.

Disney's internal investigation revealed that Scheuer created a fictitious user account to gain unauthorized access to the Menu Creator system.

The FBI executed a search warrant at Scheuer's home and found evidence tying him to the hacks.

https://www.forbes.com/sites/larsdaniel/2024/10/30/disney-employee-hacked-menus-after-termination-in-alleged-revenge-plot/

Commentary

According to a report by Unit 42, 75 percent of insider cyberattacks are carried out by disgruntled ex-employees. These attacks often involve ex-employees who left with company data, destroyed company data, or accessed company networks after their departure.

In the above matter, the ex-Disney employee is alleged to have created a "fictitious user account". 

A fictitious user account is a false account created within a system to gain unauthorized access or perform fraudulent activities. These accounts are often used to bypass security measures, manipulate data, or carry out malicious actions without being detected.

It should also be noted that multiple user accounts are often created by accident. It is not uncommon for a person to create a new account because they forgot they had created an account previously.

Prevention of insider attacks starts with limiting access. Only people who need access should have an account. Moreover, most accounts should have limitations. Providing every account "all access" privileges is not a best practice.

Cybersecurity policies should make it clear to users that only one account is permitted, and the creation of multiple accounts is prohibited. The policy should permit people to report the violation of the policy and prohibit retaliation for reporting violations.

The next step is auditing the accounts on your systems - which should not be too difficult if you have limited access. Each account should be tied to a person with access. All other accounts you cannot tie to a person, including duplicate and extra accounts, should be eliminated.

The final takeaway is before termination or a suspension of an any employee, all workplace user accounts (including email and IM) of the employee in question should be closed (for termination) or suspended (for the length of the suspension). This helps prevent reprisal cyber and other types of attacks from disgruntled ex-employees.

Additional Sources: https://www.informationweek.com/cyber-resilience/75-of-insider-cyber-attacks-are-the-work-of-disgruntled-ex-employees-report