CoreTech Blog

CoreTech Blog

CoreTech has been serving the Bowling Green area since 2006, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

The Latest Moral We Can Learn from Disney: Manage Permissions Better

The Latest Moral We Can Learn from Disney: Manage Permissions Better

The Disney brand has long cultivated an image of magic and wonder. However, this image has yet to materialize any magical effects in reality. For example, people still suffer from food allergies while visiting Disney’s various parks.

This makes it especially dangerous that a former Disney employee was allegedly still able to access a specialized menu-planning app and make alterations, like changing prices, adding language that Disney certainly would not approve of, switching text to the unintelligible “Wingdings” font, and worst of all… changing menu information.

More specifically, as an agent with the Federal Bureau of Investigation put it in the official complaint:

“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies.”

There’s nothing quite like lethal anaphylaxis to make a family vacation memorable, right?

Fortunately, Disney caught the issue before any altered menus were distributed to their restaurants, and investigators have found no evidence that a customer ever saw them.

Furthermore, there is no indication that these events are in any way related to the October 2023 death in a Disney-owned restaurant after allergens were ingested.

How Did These Changes Happen?

Simply put, someone had permissions that they shouldn’t have.

According to the FBI complaint, the accused—former Disney employee and menu production manager Michael Schuer—allegedly used his existing Disney credentials to access the menu-planning app and make the above changes while using other old logins to access the app developer’s server.

However, once the Wingdings appeared, other Disney employees caught the issue and took the app offline… but not before many employee accounts had been locked due to the accused allegedly utilizing scripts to automate logins, meaning that over a dozen employee accounts exceeded their acceptable number of login attempts.

The complete criminal complaint offers more details about this event and the inciting attacks.

The Moral of the Story: Pay Closer Attention to User Permissions

This entire situation could have been avoided if the alleged perpetrator’s access had been appropriately removed once his employment was terminated. However, that one oversight allowed this potentially very dangerous attack to progress as much as it did.

While we don’t ask this to frighten you, it needs to be asked: when was the last time you checked who can access what in your business?

You may be surprised by what you find. It can be too easy to overlook deleting a user’s profile if they leave the company, and it can be even easier for these profiles to have more access than they need. This is precisely why the Principle of Least Privilege—restricting everything to only those who require it for their day-to-day responsibilities—is so critical.

After all, once someone leaves your company, they no longer need any of your data and should not be able to access it.

CoreTech can help you evaluate and audit your business’ permissions, making it more secure by reducing the number of ways a cybercriminal could use to get in… and yes, a former employee with an ax to grind counts. Give us a call at (270) 282-4926 to learn more.

Get More Out of Your Business with Enterprise Soft...
Tip of the Month: Using Email While Prioritizing S...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Sunday, 22 December 2024

Captcha Image

About CoreTech

CoreTech has been serving the Kentucky area since 2006, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses. Our experience has allowed us to build and develop the infrastructure needed to keep our prices affordable and our clients up and running.

get a free quote

Recent News

Last week, we discussed why X—the social media network once known as Twitter—has been losing many users. Here, we wanted to direct those seeking a move to consider the up-and-coming platform known as Bluesky in case you were one of those jumping ship...

Contact Us

1711 Destiny Lane Suite 116
Bowling Green, Kentucky 42104

Mon to Fri 8:00am to 5:00pm

[email protected]

(270) 282-4926


Nashville Managed IT
Louisville and Lexington Managed IT
Bowling Green Managed IT
Clarksville Managed IT