A former Disney employee, Michael Scheuer, reportedly hacked into Disney’s internal menu system following his termination, altering allergen notifications and changing fonts to unreadable Wingdings symbols, as reported by Court Watch News.
His alleged act of revenge, which could have jeopardized visitor safety, underscores the importance of rigorous offboarding practices when an employee is terminated.
Revenge Hacks On The Rise
In cases like the alleged Disney incident involving Michael Scheuer, “revenge” hacks by former employees are a real and growing issue in cybersecurity.
These types of insider threats are typically classified as “disgruntled insider” attacks, where former employees, motivated by feelings of resentment or revenge, exploit their previous access to cause harm to the company.
This trend is particularly concerning because disgruntled insiders can use their knowledge of internal systems to carry out targeted disruptions. Studies show that nearly a quarter of insider threat incidents involve some form of “malicious intent,” including sabotage, data theft, and fraud.
A 2024 report by Securonix highlights that companies have increasingly seen insiders misuse access to take retaliatory actions, with motivations ranging from disagreements with management to perceived injustices during termination.
These incidents often result in direct damages, such as data breaches, service disruptions, and financial loss, as well as indirect effects, including reputational damage and customer trust issues.
What To Do? Terminations And Insider Threats
When employees are terminated, especially in contentious situations, companies should take thorough steps to ensure they no longer have any access to sensitive systems.
Immediate Revocation of Access
As soon as an employee is terminated, all digital and physical access credentials should be revoked. This includes login credentials, VPN access, badge access to buildings, and any other means by which the former employee could access systems or physical facilities. In cases like this Disney incident, quick termination of access could have prevented a situation where a former employee retained the ability to allegedly log into sensitive platforms post-departure.
In these situations, it is wise to schedule a joint HR and IT review before termination to ensure every access point is identified and deactivated. This process helps avoid oversights, especially with employees who held roles granting them access to multiple platforms.
Conduct A Post-Termination Security Audit
A thorough security audit following an employee’s departure is essential, especially for roles involving access to proprietary data or administrative systems. In addition to ensuring that permissions are fully removed, this audit verifies that no unauthorized pathways remain, such as saved passwords or login credentials stored on shared devices. In cases of employees with access to sensitive areas, such as Disney’s menu systems, audits help eliminate potential entry points for unauthorized activity.
For example, after the initial revocation of access, reviewing logs and activity for all systems the individual had access to in the 90 days prior to termination for unusual patterns or unexplained permissions that might need attention can prevent areas being overlooked that could be exploited by former employees.
Enhanced Monitoring of High-Risk Systems Post-Departure
Monitoring systems for unusual activity in the weeks following a termination can alert security teams to unauthorized access attempts. This is especially important for employees who may have had administrative access, allowing them to alter systems or databases. Implementing real-time alerts and activity logging can be a critical line of defense.
This would look like setting up enhanced monitoring on all systems the former employee accessed for a period of 30-90 days, maintaining real-time alerts for login attempts, file modifications and unusual access times so that unauthorized access attempts are caught early.
Post-Termination Insider Threats
Organizations face real challenges from both outside and inside the gate. These allegations are a reminder that organizations need comprehensive offboarding procedures as part of their insider threat prevention measures.
Revoking access, conducting audits, and monitoring activity are essential practices that can significantly reduce the risk posed by former employees.
With these safeguards in place, businesses can better protect their operations, reputation, and customer safety while minimizing the potential for retaliatory behavior by disgruntled former employees.
I have contacted Disney for comment and they have not yet responded.