Fired Employee Allegedly Hacked Disney World's Menu System to Alter Peanut Allergy Information

An anonymous reader shares a report: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World's restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.

The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.

"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.

Ah not to worry.

[Anonymous Coward]

Even if there were allergy problems that arose from this, chances are the victim would be a Disney+ subscriber, so Disney is legally in the clear!

Re:

[Don'tJoin]

Would be funny if peanut allergy was not actually lethal.

Re:

[cayenne8]

Would be funny if peanut allergy was not actually lethal.

Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?

There was NO such thing when I grew up as a kid....peanuts were at schools...hell on any given day, I'd say half the kids lunches in elementary school were PB&J's.....

No scares...no mass dying of peanuts.

So, what the hell caused this in the past couple decades?

Re:

[gosso920]

Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?

Agent Orange, perhaps?

Re:Ah not to worry.

[transwarp]

We know that lack of exposure to peanuts as a baby can cause it (or exposure can prevent it, whichever way you want to see it). Studies with ethnic groups in the US and abroad where the US population didn't have peanuts in their babies' diets basically ruled out strong genetic factors.

Now, I doubt the US baby peanut intake used to be high, so there's probably another thing causing the allergy to manifest after they're not pre-emptively exposed.

Re:Ah not to worry.

[RobinH]

What's changed is that we went through a phase where expectant mothers were told not to eat peanuts or peanut butter. I suspect the kids born during that time-frame are more likely to be allergic. I know it's anecdotal but my wife ignored that advice and our kids don't have a peanut allergy. A mom friend of ours never ate peanut butter (she prefers nutella) and one of her kids has an allergy to peanuts (but not tree nuts). I suspect being exposed in the womb is similar to exposure as a baby.

Re:

[omnichad]

For a while, peanut allergies caused peanut allergies. Overreaction to the peanut allergies led to parents delaying introducing peanuts and peanut butter to the diet and older kids not being allowed to take a PB&J sandwich to school. Lack of exposure leads to more allergies.

Re:

[lsllll]

Jonathan Haidt talks about this exact topic in the last chapter of his book, The Coddling of the American Mind. It's due to overreaction on the parent's and community's side. Basically there were a few cases of peanut allergy and all of a sudden everyone thoughts "No big deal. I'll just keep my kids away from peanuts." But by keeping the kids away from them, their bodies didn't learn to cope with the possible allergen at an early age and then it was too late.

The same thing happened with parents not allo

Re: Ah not to worry.

[zawarski]

National Center for Missing and Exploited children reports approximately 4000 non-family abductions in 1984 and 58000 in 2004.

Re:

[AvitarX]

I'm seeing 8,000 in a ten year study on their website.

Re: Ah not to worry.

[zawarski]

Primary source is NISMART.

Re:

[lsllll]

Here's a report from the government that relies on all the NISMART data [ojp.gov]. Basically, according to this analysis, most of the values went down between NISMART-2 (1999) and NISMART-3 (2013). Unfortunately, because of methodological differences, some of the numbers need to be taken with a grain of salt. Also, the type we're talking about (someone inviting a child or forcing a child into a van) which they call Stereotype Kidnapping is conspicuously missing. But, overall, it indicates that the number of child

Re: Ah not to worry.

[zawarski]

The figures I posted were for non-family short term abductions, not âoetraditionalâ long-term kidnappings.

Re:

[iamhigh]

Nah, this is way too simplistic. That would mean there had to have been many times and many places throughout our history where entire societies were allergic to peanuts. I think they would have figured that out and we would have heard about it. In addition, I'm 100% sure there many, many mothers throughout the years that didn't like peanuts and didn't include them in their diet or their baby's. I mean, really think about the idea that a single generation can avoid a single food and it becomes 10 times

Re:

[Nite_Hawk]

No one really knows yet. We have immune system issues in my family ranging from Crohn's disease (both myself and my father) to nut and egg allergies. Some of the research that's come out specific to Crohn's disease is that people who live in or immigrate to western societies are more likely to develop it. There's also a correlation between Crohn's disease and northern latitudes. There appears to be both a biological and an environment component to it, but more people are getting it now than ever, but th

Re:

[kackle]

Tack on to that that much of our immune systems' functionality comes from our gut (microbiome). And the poisons currently used on our food supply against weeds, insects and germs have been demonstrated to disrupt that microbiome. Oops.

Re:

[dbialac]

Probably because they were dead.

Re: Ah not to worry.

[reanjr]

Probably a mix of peanut allergy awareness and the generally greater amount of food diversity in a globalized economy.

Peanut allergies generally come from not being exposed to peanuts at a young age. So as peanut allergy awareness went up, parents became scared to give their kids peanuts, which in turn means they're likely giving their kids peanuts allergies. Add in the schools that forbid peanuts because one kid has an allergy and it exacerbates the problem. There was even a period where the federal govern

Re:Ah not to worry.

[garyisabusyguy]

This is a long and convoluted story

Around 2000 doctors were concerned about a relatively rare malady that occurs when infants eat adult foods and experience a nearly fatal response

It occurs in about 1 in 10,000 children, and as a result the American Pediatrics Association published a suggestion that parents strictly limit exposure of infants to anything but formula for the first six month of life

The net results of this were a tragic rise in the instance of food allergies, particularly involving peanuts, but including shellfish, eggs, other nuts, etc...

Some researchers noted that Israel has a popular infant food based on peanuts, and their population has a very low instance of food allergies

They conducted a study of Ashkenazi (to limit effects of genetics, they are very similar groups in both Israel and Europe) children in both Europe and Israel, and found that the ones who limited food variety in infancy had food allergy issues that they other group did not experience

Further studies such as Learning Early About Peanut (LEAP) trial (Du Toit G, et al. N Engl J Med. 2015;372:803-813). The study randomized 640 infants from 4-11 months of age with severe eczema and/or egg allergy to ingest or avoid peanut until 60 months of age. The study excluded infants with large positive skin prick tests (SPTs) to peanut, assuming they already were allergic, and stratified the enrolled infants as having no peanut SPT wheal or having one that was 1-4 millimeters in diameter.

The results showed that in the negative SPT group, the prevalence of peanut allergy at age 5 was 13.7% in the avoidance group vs. 1.9% in the consumption group (plt0.001; 86.1% relative risk reduction). Among those in the SPT positive group, the prevalence of peanut allergy was 35.3% in the avoidance group and 10.6% in the consumption group (p=0.004; 70% relative risk reduction). [nih.gov]

It is truly unfortunate that so many people now suffer from life-long food allergies due to the poorly thought out recommendations of well-meaning pediatricians

It is even worse, that parents continue to follow these 'rules' and are causing life long problems for their own children

Here is further reading for anybody who thinks they know better:
https://publications.aap.org/a... [aap.org]
https://publications.aap.org/p... [aap.org]
https://pmc.ncbi.nlm.nih.gov/a... [nih.gov]
https://www.nih.gov/news-event... [nih.gov]
https://www.nih.gov/news-event... [nih.gov]

Re:

[RPI Geek]

My son (8) has a peanut allergy. I asked his allergist about the cause and was told me that there's no clear consensus. There is apparently lots of evidence pointing to environmental causes and also lots of evidence pointing to genetic causes, while the actual truth probably has elements of both. It's also possible that different people have different causes.

In a way he's lucky because he's repulsed by even the smell, and his reaction seems to be to vomit instead of going onto anaphylactic shock. I'm

Re:

[RPI Geek]

s/was told me/was told/

Re:

[garyisabusyguy]

I am sorry that you allergist does not trust you enough to let you now what happened (see my documentation above)

Please go to this website and review the FDA suggested treatment for long-term resolution of peanut allergies

https://acaai.org/health-care-... [acaai.org]

There is a very good chance that you can keep your child from a life-long malady

Re:

[garyisabusyguy]

I am sorry that your parents fucked up and you live with an allergy now, but you still should be able to read the last two links that I posted which represent five year summaries of studies following the 2017 LEAP study

The old saying applies, when you find yourself stuck in a hole, the first thing you do is stop digging

Also, not only are doctors people, they are frequently people with huge egos who fear lawsuits and rarely point out their mistakes to patients

Re:

[edwdig]

Has anyone figured out where this relatively NEW phenomena of peanut allergies has come from?

There's a ton of theories. And lots of conflicting studies.

For a while there was evidence suggesting that peanut exposure at a really young age lead to increased odds of an allergy. That lead to guidance recommending avoiding peanuts until age 3. It might have progressed to 3 in stages, I'm not sure.

Then there was evidence that aggressively avoiding peanuts actually increased the odds, so now the guidance is to introduce peanuts really early.

There have been studies recently that suggest that if the mother t

Re: Ah not to worry.

[TuballoyThunder]

Supposedly, and I am not a biology person, the contributing factor to the increase in peanut allergy is due to the recommendation to delay introducing peanuts in the diets of infants. Countries that do not have such a recommendation have not seen an increase. No idea if this is true, YMMV, etc

Re:

[The-Ixian]

So, wait, am I hearing that PB&J's are banned at schools now?

Re:

[cayenne8]

So, wait, am I hearing that PB&J's are banned at schools now?

I was shocked to hear a few years ago, from a parent that they said emphatically "YES" any peanut food, including PB&J's were banned at schools, for fear of one of the sensitive kids getting exposed to it.....I was blown away at such a thing, but apparently it is a thing.

Re:

[OrangeTide]

He should have went for the lactose intolerance angle and gave most people diarrhea instead of trying to commit murder.

I wish more people would ask me about alternatives to murder. I'm REALLY good at not running around like a lunatic and murdering people.

Hell, he could have taken up basket weaving. Maybe make designs showing the Steamboat Willie version of Mickey Mouse having steamy romance with Peg-Leg Pete.

Re:

[Monkey-Man2000]

Apparently, you didn't get the joke [npr.org], but I do wonder if these cases are curiously related.

Re:

[hdyoung]

Oh, Disney is definitely in the clear. The guy who did the hacking? He's gonna do prison time. For sure.

Re:

[sconeu]

Attempted murder is iffy. CFAA is a slam dunk. Remember, that's what Aaron Swartz was threatened with 35 years or so for.

Re: Ah not to worry.

[reanjr]

Could be negligent homicide if it actually led to any deaths. But yeah, not murder.

Re:

[Malay2bowman]

"By any of your bodily senses ever picking up on anything Disney, you automatically agree to never sue us."

Obvious Question

[Rinnon]

Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.

Re:

[Joviex]

Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.

Still have my accounts (active) after leaving 3 years ago. Its amazing, aint it? They fire the capable, and keep the morons.

Re:

[Malay2bowman]

- passwords deactivated
- security keycard deactivated
- The supervisor with at least 2 big burly security guards walks up to the worker
- "You're fired"
- 5 minutes with the big burly security guards flanking the worker as he clears his desk of all personal items
- worker escorted of premisis /\
--- all done in that order

Yes, it's as cold, heartless, and efficient as it sounds, and I'm very surprised Disney does not do this.

Re:

[aaarrrgggh]

I am guessing this is related to cloud hosted services with shared passwords. Two great gotchas for proper security protocols.

Re: Obvious Question

[haxor.dk]

You're wrong.

It's usually 15 minutes you're allowed before getting manhandled.

Re:

[OrangeTide]

You kind of assume that both the IT department and management are organized well enough to do something in less than a week's time.

Re:

[smooth wombat]

Revoke permissions and have security trail him at a discrete distance.

Because that is so much better. Nothing like walking out of the office and someone trailing you while watching your every move. Sounds like the other side of the Berlin Wall back in the day.

Re:

[OrangeTide]

At Evil, Co., as part of our environmental responsibility initiative, we push terminated employees into the protein recycling vats.

Re:

[nightflameauto]

Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.

As long as Disney can point to one specific culprit, already fired, they'll do so. Never mind shit policy and the entire chain of failure that led to this incident. Corporations are not responsible for anything. Individuals are. Unless its systemic and the only culprits sit on the board. Then nobody's responsible. It's just good business.

Re:Obvious Question

[timeOday]

Disney didn't force or even incentivize him to do this. Failing to prevent somebody from willfully committing a crime is not a crime.

Committing a crime is a crime.

Re:

[gweihir]

On the other hand, not revoking access is gross negligence. You know, the kind that makes you liable.

Re:

[timeOday]

I agree that if this guy had managed to kill somebody they would have sued Disney not the guy, and failing to cut off his access would have cost Disney bigtime in that case.

Re:

[gweihir]

If he had killed somebody, Disney would have been sued for compensation and this guy would have gone to prison for manslaughter. Well, he might still get some time behind bars to make it clear to him what he was doing there. Unfortunately we cannot reduce people like that to Kindergarten and make them try to become decent adults again.

Re:

[Retired Chemist]

Happens all the time. It is HR's job to offboard people and IT's job to remove their access. In any large organization, the communication between two groups reporting to different people is usually very poor. Even assuming HR remembers to inform IT, there is no reason to believe that there is someone in that organization whose job it is to take care of it.

Re:

[war4peace]

Especially when "IT" means a mix of outsourcing companies which handle wildly different credential suites and access solutions.
This happens in pretty much every corporation. Single Sign On is a wet dream.

Re: Obvious Question

[reanjr]

Yeah, my old boss would regularly forget to tell me when people left or were let go. I'd eventually hear about it through random conversation and have to do periodic audits to check if any of these people were still working for us.

Fortunately I practiced the principle of least privilege, so only a select few people (basically just 3 people, including myself) could do significant damage, and those were people I would know were gone pretty quickly. We also had very low turnover.

Re:

[OrangeTide]

Maybe cut people a severance check once in a while. The classic: "No hard feelings. Here's 6 weeks if you promise to GTFO"

Re:

[UnknowingFool]

Someone looking to sabotage a former employer like this may not be persuaded with money. I have been through many layoff where severance was measured in months not weeks but some employees had to be escorted out immediately because they were so angry. And this was when layoffs were rumored to be happening soon.

Re:

[Njovich]

The person that was fired should not criminally use systems after they get fired. Period. That's 'his job'. While it's a good habit to throw out old employee accounts, still having an old password does not make it OK to still use it in a way that harms the company or other people.

Re:

[gweihir]

Sure. The person that did this is a criminal moron. But the ones that failed to revoke access are grossly negligent morons.

Re:

[sconeu]

Dude is looking at federal CFAA charges.

Re:

[Fly Swatter]

That job was moved overseas. Just like their turd party menu system.

Re:

[nuckfuts]

Whose job is it to offboard employees such that they aren't just leaving people with access to their systems after firing them? HR? IT? I'm looking at you. I mean... c'mon.

By the sounds of it, the ex-employee had pretty extensive knowledge of their IT systems. If the disgruntled ex-employee happened to have been a System Administrator, it's quite possible that he granted himself more access that what the HR department knows how to disable.

Re: Obvious Question

[haxor.dk]

I imagine in the future, the bloodsports we'll be fed on TV will be HR-MMA, no holds barred fighting between HR employees, where you're allowed to bite and break the opponents limbs in the ring.

It will be a smash hit, I tell ya.

Re: Obvious Question

[reanjr]

Yeah, it's nonsensical.

"We trust you with the keys to ruin our company, but we don't trust you enough to know about HR decisions."

What?

Holy crap what a shitty human being you must be

[Rosco P. Coltrane]

to put people's lives at risk because you have a beef with your employer.

Re:

[Don'tJoin]

The other things could be written off like pranks, but messing with allergy info isn't okay.

Re:

[Ksevio]

Especially in that manner. If he had changed it so it said something like the Swedish Fish may contain shellfish that would be kind of funny and people with allergies could at least err on the side of caution and not eat anything

Re:

[gweihir]

If somebody gets hurt or dies, it falls under (attempted) manslaughter. You have to be _really_ stupid to do something like this.

Re:

[sconeu]

Depending on the jurisddiction, it could be considered Felony Murder.

I'm not sure if Federal law includes such a provision.

Re:

[gweihir]

Ah, yes. The US legal system and its corrupted terminology. So, yes, possibly.

Re:

[Malay2bowman]

The guy is a real mental case, but people typically don't just become that way for nothing. Something rotten led up to this even before he was terminated.

Re:

[93 Escort Wagon]

The guy is a real mental case, but people typically don't just become that way for nothing. Something rotten led up to this even before he was terminated.

A mentally healthy person doesn't act like this no matter how badly they get treated at work.

Re:

[dbialac]

What I've seen is that either a mentally healthy person has already found another job when their supervisors are abusive, or because other people in the organization like them, they get promoted over the supervisor and the former supervisor gets canned. Relationships matter, folks. It's not what you know, it's who you know and how you behave towards them.

Re:

[gweihir]

Clearly. Why does this even need to be stated?

Re:

[gweihir]

Indeed. However there are many crappy human beings that think the world is all about them and others do not matter.

Re:

[RobinH]

Yeah, that's what I thought. This guy could easily end up with a manslaughter charge if something bad happened.

Disney security protocol is so Mickey Mouse

[Malay2bowman]

"The complaint alleges he did this soon after being fired by Disney ***using passwords that he still had access to on several different systems.***" Dumb, dumb, and dumb. I bet they didn't deactivate his key card before telling him he was fired either.

Attempted murder, not "computer fraud"

[backslashdot]

That's clear attempted murder, should be taken very seriously. Why are they only charging him with "computer fraud" .. he tried to kill people.

Dumb fuck deserves prison

[iAmWaySmarterThanYou]

Why do people do post-firing hacking on their former employer?

They fired you. That sucks. You're not getting your job back. Work on your resume and move on. You hate them so much and cared so much about some dumb job and your stupid boss that you'd go to prison and fuck up your whole life to inflict some temporary harm on them? Super fucking crazy. No wonder he got fired. He was a psycho and a bad hire in the first place.

Be it your former job or your ex-spouse or bf/gf or bff or your dog runs away, just move the fuck on. There is no benefit to going psycho on people who are now your past.

Re:

[gweihir]

Why do people do post-firing hacking on their former employer?

Because these people are deeply stupid and think it is all only about them. Gigantic egos, rather small skills. Common occurrence these days.

There is no benefit to going psycho on people who are now your past.

Indeed. But it takes a rational mind and some pragmatism to see that. There are plenty of people that fail this test.

Adrenaline-induced anger not rational

[Tablizer]

Why do people do post-firing hacking on their former employer?... You're not getting your job back...

Maybe you have a mellower temperament, but when a good portion of people are angry they are not thinking rationally. Reptilian fight-or-flight instincts kick in, and the urge to cause instant harm as retaliation is set to level 11.

When I get riled up I try to go for a jog or long walk to burn off excess energy caused by adrenaline. Plus the journey gives me time to mellow out and think clearer. (Passer-by's

Re:

[iAmWaySmarterThanYou]

> Maybe you have a mellower temperament

Lol, I've been called all sorts of things throughout my life but that's a first :-)

Seriously though, I've worked about a dozen startups, for the Feds, for the state, for huge and medium corporations. I've survived countless layoffs, office ninja'd my way out of one firing, been laid off several times as the startups went under, been fired once and rage quit twice. But at no time ever have I ever no matter how badly or unfairly I was sometimes treated ever once con

Re:

[iAmWaySmarterThanYou]

Corporate warfare? Am I reading that right? To me that means he was doing harm as a paid agent of some Disney competitor. Is that what you meant?

Re:

[King_TJ]

Uh, not necessarily -- though that's an interesting possibility that I'm sure has been the case in some of these other corporate hacks by former employees.

I'm not sure what term you'd prefer... maybe an "activist" sounds better to you?

My general point here is, a LOT of people feel the Disney corporation is a pretty evil one, these days. I don't see how anyone paying attention can mistakenly believe they're the exact same type of company they were back when Walt was in charge of it?

Re:

[iAmWaySmarterThanYou]

Sure, they're a lot different than Walt's day but I'm just seeing a guy who abused whatever access he still had to fuck shit up because he was mad at getting fired. He likely wasn't fucking shit up (intentionally) when he still employed; he was happy enough working there until he suddenly wasn't then went ape shit and fucked himself for nothing. There's no evidence of hacktivism I'm aware of.

At least if he was a paid corporate agent that would make some sense if the pay was high enough. But to do childis

Re:Dumb fuck deserves prison

[Rinnon]

I think you're giving this guy way too much credit, and your explanation of the event in question is unnecessarily complex compared to the obvious and simple one. (Occam's Razor)

This is a guy who, even as you put it:

[...] was not being smart enough to cover their tracks better. If you're recently terminated AND you had access to the systems in question, you're going to be right at the top of their suspect list.

I see no reason to suggest that it is more likely that his actions were a part of some clandestine activism, as opposed to the simple explanation that he was angry with his former employer.

As a bit of a tangent, (not directed at you specifically to be clear, it just makes me think about it), I find it troubling that it has become so common to see folks creating complex explanations that require, in some cases, perfect planning and actioning of a plan, total secrecy, and an entire conspiracy worth of participants, rather than accepting the face value explanation which can usually can be summarized as "human was dumb."

Fridge horror

[Malay2bowman]

It just dawned on me that if he didn't do the profanity and wingdings, there is no telling how long the altered peanut allergy information would've gone unnoticed before someone might have gotten sick or died.

Evil vs. Evil

[bill_mcgonigle]

Damn, we thought Disney was the worst but taking peanut allergy info off of menus is a real concentrated bit of evil.

One supposes this is Disney's available tech recruiting pool after what they paid Fritz Hollings to do?

Still, attacking innocents like this is on par with the neverending pedo ring stings at Disney.

Walt must be spinning in his cryogenic chamber.

I'd want a real source for this before buying it.

[Eunomion]

One, it's sensational. Two, it doesn't make a whole lot of sense. Someone is smart enough to pull that off, but doesn't understand the extreme difference between embarrassing a company and endangering lives? This source offers a lot of sensational content with minimal external overlap. My skepticism of it grows with time.

Re:

[Eunomion]

Doesn't have to be a feat for the ages to require the minimal intelligence that could tell apart a property crime from a potential attack on human life. And like I say, I don't trust this source. They keep dishing out very sensational stories.

Re:

[gweihir]

Well, maybe. But look at people that go kill somebody. Most of them have not thought that through and not all are simply too dumb to do so.

Not quite clever enough

[RogueWarrior65]

Changing the font to Wingdings is amusing but it would be even funnier if the hacker used Comic Sans or... wait for it... Papyrus.

Re:

[techno-vampire]

Cyrillic, Arabic or Hebrew also come to mind.

Wrong way round

[Going_Digital]

Clearly he deserved firing for being dumb. Instead of putting people at risk, he could have simply changed items that didn’t contain nuts, to say they did. Not only would this not risk harming people with nut allergies, it would subtly reduce the sales of that item, costing Disney money in lost sales. If he didn’t have the sense to do it that way round, he doesn’t pass the minimum intelligence test to have a job.

Re:

[nightflameauto]

Jigsaw: Let's play a game. Wingdings, Comic Sans, or prison. Which do you choose?

Re: BIG legal trouble

[haxor.dk]

You're locked in here with me....

  I have wingdings and comic sans, and I'm not afraid to use them.

FTA

[JBMcB]

Did you read an article? The guy was a total nut. He had information on coworkers addresses and families. Hacking and FDA violations are the tip of the iceberg.

Re:

[dbialac]

Well that information is kind of easy to come by these days. Thanks, Equifax!

Re:If anything this is managements fault!

[Bert64]

In 99.9% of cases you can make this fuckup and nothing will happen, because the vast majority of people are ethical and won't do anything even if their accounts are still valid. Leaving access open is EXTREMELY common.

As a consultant i often have temporary accounts to my customer's equipment, i've frequently received alerts weeks/months later, or gone back for another contract and found that consultant accounts (either mine or others) are still present for consultants who finished their work months or even years earlier, or that shared passwords have not been changed.

You can get away with this in 99.9% of cases, it's only in the 0.1% you accidentally hire someone who's crazy and they do something like the story mentions.

Trying to explain to people why this is a bad idea usually falls on deaf ears. Having a single shared password that everyone knows is a lot less work than managing individual accounts, and the extra cost is not considered worth it for the .1% risk.

Re:

[Murdoch5]

I worked at a company as the lead engineer, 7 years ago, and my access was never terminated, to this day, I can still log in to all the management systems, seriously! I've alerted everyone at the company, including the owners' wife, and no one will take my account away. The account is not IP locked, it's not geo-locked, there are no restrictions on it, and if you access it, you can get full root level access to all the servers.

The "new" IT guy who took over when I left, hated SSH Keys, so it's only p

Re:

[Baron_Yam]

Personally, I'd be tempted to spend a bit on a lawyer to send them a letter telling them to disable the account or change the password or it'll become part of the public record when you ask a court to order them to do it.

Re:If anything this is managements fault!

[Baron_Yam]

I always, as my last action, disabled my own account of I have access to do so, and request it be done if I don't.

It's not for their protection against me; it's for mine against them. I don't want to be a suspect if anything weird happens after I've left.

Re:

[gweihir]

Exactly.

Re:

[gweihir]

Whoever dropped the ball is just as liable as the guy who changed the menus.

Civil liability? Clearly. Maybe even more so.

Re:

[Murdoch5]

In today's climate of cyberattack aware, I hope someone gets in serious trouble for this. The real issue is that an account was left open, for a non-active employee, it doesn't matter what that employee did. When you leave an account open, what else have you left open?

Last week I reviewed an old VM that another guy was maintaining, the number of IPs in the rule lists for RDP, and SSH was head shaking. He kept adding his new IP, but never removing the old ones, and after 4+ years, there was a huge set

Re:

[gweihir]

You can't leave old junk around that doesn't have a use. One bad firewall rule, one open port, one open user account, and you're down and out for weeks if things go bad.

Exactly. Done right, every access, firewall rule, VPN account, user account, etc. has an expiry date before which it needs to be confirmed as valid. I am doing some IT auditing in a regulated environment and there it usually is a monthly check by somebody else than the ones removing access and a yearly check by yet somebody else that the monthly checks were all done. We really need to stop letting non-regulated IT environments above a certain size or criticality get away with half-assing it. This does not e