Former Disney Employee Sentenced to Prison for Hacking Restaurant Menus in Revenge Scheme
In a case that highlights the intersection of cybercrime and workplace retaliation, a former Disney employee was sentenced to three years in federal prison for hacking the company’s restaurant menus and targeting colleagues with cyberattacks. The sentencing, issued on April 29, 2025, concludes a bizarre saga involving altered food labels, prank dish names, and harassment.
Michael Scheuer, the ex-Disney worker at the center of the case, was terminated in June 2024 following a workplace dispute that escalated into a panic attack. His defense team argued that his firing stemmed from a lack of mental health accommodations, but instead of pursuing legal action, Scheuer took revenge into his own hands—with chaotic consequences.
Using a shared team login, Scheuer accessed Disney’s internal systems and tampered with restaurant menus across the company’s properties. His edits ranged from dangerous to absurd. He modified allergen information, potentially putting guests with food allergies at risk. Other changes were more comical, such as renaming “Shellfish” to “Hellfish” or switching fonts to Wingdings, making menus nearly illegible.
Beyond the menu hacking, Scheuer launched denial-of-service (DoS) attacks against 14 Disney employees, many of whom were involved in his termination. These attacks locked victims out of their accounts through relentless fake login attempts. Investigators later discovered he had stalked one employee, showing up outside their home.
Disney corrected the altered menus before they reached restaurants, preventing harm to guests. Prosecutors, however, argued Scheuer’s actions were deliberate, not impulsive. Court documents noted he discreetly altered menus to avoid detection, demonstrating clear intent.
Scheuer’s defense team painted a different picture, claiming he acted out of desperation after being wrongfully fired and denied mental health support. The court acknowledged this but ruled his crimes demanded serious consequences.
The case underscores the risks of insider threats in corporate cybersecurity. Even trusted employees can exploit vulnerabilities, especially when personal grievances are involved. For Disney, the incident was a wake-up call, exposing gaps in system safeguards.
As Scheuer begins his prison term and faces nearly $690,000 in fines, the story serves as a cautionary tale about unchecked retaliation—and the fine line between a cry for help and criminal behavior.
Disney identified and removed all altered menus before they reached restaurants, according to CNN, highlighting the company’s swift response. Yet the question lingers: Could this have been prevented with better workplace support for employees in crisis?
For now, the case is closed, but its lessons about cybersecurity, mental health, and corporate accountability remain. The incident serves as a reminder that workplace conflicts, when left unresolved, can spiral into costly and damaging outcomes. Companies must balance robust security measures with compassionate employee support to mitigate such risks.
