Discover what great technology looks like!

The Latest Moral We Can Learn from Disney: Manage Permissions Better

The Latest Moral We Can Learn from Disney: Manage Permissions Better

The Disney brand has long cultivated an image of magic and wonder. However, this image has yet to materialize any magical effects in reality. For example, people still suffer from food allergies while visiting Disney’s various parks.

This makes it especially dangerous that a former Disney employee was allegedly still able to access a specialized menu-planning app and make alterations, like changing prices, adding language that Disney certainly would not approve of, switching text to the unintelligible “Wingdings” font, and worst of all… changing menu information.

More specifically, as an agent with the Federal Bureau of Investigation put it in the official complaint:

“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies.”

There’s nothing quite like lethal anaphylaxis to make a family vacation memorable, right?

Fortunately, Disney caught the issue before any altered menus were distributed to their restaurants, and investigators have found no evidence that a customer ever saw them.

Furthermore, there is no indication that these events are in any way related to the October 2023 death in a Disney-owned restaurant after allergens were ingested.

How Did These Changes Happen?

Simply put, someone had permissions that they shouldn’t have.

According to the FBI complaint, the accused—former Disney employee and menu production manager Michael Schuer—allegedly used his existing Disney credentials to access the menu-planning app and make the above changes while using other old logins to access the app developer’s server.

However, once the Wingdings appeared, other Disney employees caught the issue and took the app offline… but not before many employee accounts had been locked due to the accused allegedly utilizing scripts to automate logins, meaning that over a dozen employee accounts exceeded their acceptable number of login attempts.

The complete criminal complaint offers more details about this event and the inciting attacks.

The Moral of the Story: Pay Closer Attention to User Permissions

This entire situation could have been avoided if the alleged perpetrator’s access had been appropriately removed once his employment was terminated. However, that one oversight allowed this potentially very dangerous attack to progress as much as it did.

While we don’t ask this to frighten you, it needs to be asked: when was the last time you checked who can access what in your business?

You may be surprised by what you find. It can be too easy to overlook deleting a user’s profile if they leave the company, and it can be even easier for these profiles to have more access than they need. This is precisely why the Principle of Least Privilege—restricting everything to only those who require it for their day-to-day responsibilities—is so critical.

After all, once someone leaves your company, they no longer need any of your data and should not be able to access it.

Techworks Consulting, Inc. can help you evaluate and audit your business’ permissions, making it more secure by reducing the number of ways a cybercriminal could use to get in… and yes, a former employee with an ax to grind counts. Give us a call at (631) 285-1527 to learn more.

Get More Out of Your Business with Enterprise Soft...
Even the NSA Recommends Rebooting Your Devices, Bu...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Guest
Sunday, 01 December 2024

Captcha Image

Contact Us

Learn more about what Techworks Consulting, Inc. can do for your business.

Call Us Today
Call us today
(631) 285-1527


Headquarters
760 Koehler Ave, Unit #3
Ronkonkoma, New York 11779

HIPAA Seal of Compliance” width=

HIPAA Seal of Compliance” width=

Latest Blog

X The Everything App®, formerly Twitter, has been experiencing a massive user loss for the past few weeks, with everyone from celebrities to average people evacuating from the platform. If you wish to join them for any reason, we’re sharing...
TOP