Jackson Thornton Technologies News + Updates

Jackson Thornton Technologies has been serving the Southeast since 1999, providing IT consulting and managed services, technical helpdesk support, cybersecurity assessments, and business continuity and disaster recovery to small and medium-sized businesses.

The Latest Moral We Can Learn from Disney: Manage Permissions Better

The Latest Moral We Can Learn from Disney: Manage Permissions Better

The Disney brand has long cultivated an image of magic and wonder. However, this image has yet to materialize any magical effects in reality. For example, people still suffer from food allergies while visiting Disney’s various parks.

This makes it especially dangerous that a former Disney employee was allegedly still able to access a specialized menu-planning app and make alterations, like changing prices, adding language that Disney certainly would not approve of, switching text to the unintelligible “Wingdings” font, and worst of all… changing menu information.

More specifically, as an agent with the Federal Bureau of Investigation put it in the official complaint:

“The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies.”

There’s nothing quite like lethal anaphylaxis to make a family vacation memorable, right?

Fortunately, Disney caught the issue before any altered menus were distributed to their restaurants, and investigators have found no evidence that a customer ever saw them.

Furthermore, there is no indication that these events are in any way related to the October 2023 death in a Disney-owned restaurant after allergens were ingested.

How Did These Changes Happen?

Simply put, someone had permissions that they shouldn’t have.

According to the FBI complaint, the accused—former Disney employee and menu production manager Michael Schuer—allegedly used his existing Disney credentials to access the menu-planning app and make the above changes while using other old logins to access the app developer’s server.

However, once the Wingdings appeared, other Disney employees caught the issue and took the app offline… but not before many employee accounts had been locked due to the accused allegedly utilizing scripts to automate logins, meaning that over a dozen employee accounts exceeded their acceptable number of login attempts.

The complete criminal complaint offers more details about this event and the inciting attacks.

The Moral of the Story: Pay Closer Attention to User Permissions

This entire situation could have been avoided if the alleged perpetrator’s access had been appropriately removed once his employment was terminated. However, that one oversight allowed this potentially very dangerous attack to progress as much as it did.

While we don’t ask this to frighten you, it needs to be asked: when was the last time you checked who can access what in your business?

You may be surprised by what you find. It can be too easy to overlook deleting a user’s profile if they leave the company, and it can be even easier for these profiles to have more access than they need. This is precisely why the Principle of Least Privilege—restricting everything to only those who require it for their day-to-day responsibilities—is so critical.

After all, once someone leaves your company, they no longer need any of your data and should not be able to access it.

Jackson Thornton Technologies can help you evaluate and audit your business’ permissions, making it more secure by reducing the number of ways a cybercriminal could use to get in… and yes, a former employee with an ax to grind counts. Give us a call at (877) 226-9091 to learn more.

Get More Out of Your Business with Enterprise Soft...
Tip of the Month: Using Email While Prioritizing S...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Guest
Saturday, 21 December 2024

Captcha Image

Request a Consultation

Jackson Thornton Technologies strives to provide the best comprehensive IT, Computer, and Networking services to small businesses. We can handle all of your organization's technology challenges.

Contact Us
Contact Us

Learn more about what Jackson Thornton Technologies can do for your business.

200 Commerce Street ,
Montgomery, Alabama 36104

Call us: (877) 226-9091

News & Updates
Jackson Thornton Technologies (JTT) is pleased to announce its expansion to a third office located in Auburn, Alabama. This new office will allow JTT to provide additional services in the East Alabama market including cybersecurity reviews, training ...