Hacked Menus & Hidden Allergens: A Food Safety Nightmare at Disney | Episode 121
DEP E121
===
[00:00:00] Matt: If it was, he just changed the menu around added profanities was just jacking around with the pricing. I don't think they would've thrown the book at him as much as they did until they started jacking with allergens, because that's changing it from a bad prank. This is not a smart thing to do, but it's changing it from a prank to manslaughter.
At least
[00:00:23] Francine: nobody died.
[00:00:24] Matt: Nobody died, but the potential for manslaughter to
[00:00:29] Francine: right
[00:00:29] Matt: first degree murder, like if that was his intent to go in there and mess with the menus, to ultimately kill somebody. That could be first degree murder.
[00:00:42] Intro: Everybody's gotta eat and nobody likes getting sick. That's why heroes toil in the shadows, keeping your food safe at all points from the supply chain to the point of sale. Join industry veterans, Francine l Shaw and Matt Regus for a deep dive into food [00:01:00] safety. It all boils down to one golden rule. Don't.
Eat poop.
[00:01:07] Matt: Don't eat poop. Hello? Hello, Francine. Hi Matt. You were just telling me about the vet, how much, okay. This is, those of you don't know Francine. Literally her dogs are like bears. They're massive dogs. They weigh more than you now, don't they? Oh,
[00:01:25] Francine: heavens yes. My, my sons, they're like a side of these,
independently of one another. So you just took 'em to the vet. How much do they weigh? One weighs 1 44 and the other one weighs 1 46.
[00:01:42] Matt: That is in and And the females bigger, right? They're both female. Oh, they're both female. They're
[00:01:47] Francine: both female.
[00:01:50] Matt: That's crazy.
[00:01:51] Francine: Yeah. And yes, so
[00:01:51] Matt: seeing her with these bears,
[00:01:54] Francine: I weigh like 1 15, 1 20.
So yes, they're definitely way more than I [00:02:00] do.
[00:02:01] Matt: That is crazy. These dogs are massive and it's so funny seeing them next to you because you're so tiny and these dogs are so huge. How do you handle like being around these dogs? 'cause they knock you over, don't they? Like just wagging their tail. They could probably not do over.
[00:02:22] Francine: And so if they walk up to me and they, one of them has a tendency to walk up to me and lean, she wants to lean into me. It's like, would you just stand up? Because it, it will knock me off balance only. They're very well behaved, really, but they're, if they get excited, they definitely could hurt me. It could hurt me when I go home at the end of the day and they both come rushing at the door.
It's a bit much. Yes. Brace myself. They're Newfoundlands, they're gentle dogs. Really. They just don't always know how [00:03:00] big they are. Like I have two young grandchildren. I have three grandchildren, but two of them are young, so they're literally can look them in the eye. And, but they've grown up with these kids.
The kids have grown up with them either, either way, and it's sometimes funny to see them interact together. My granddaughter is sometimes, once they get the excitement of saying hello over with, like greeting them when they get there, everything's fine. But when they first get there, they're really excited.
[00:03:37] Matt: Yeah. Yeah.
[00:03:38] Francine: So I. There's always a little bit of concern that you don't want anybody to get hurt or knocked over or anything. But once they get that initial excitement over with, it's all good.
[00:03:53] Matt: So as long as you don't die with the hello,
[00:03:56] Francine: let them sniff you and say hello,
[00:03:58] Matt: then you're good. [00:04:00] That's great. I
[00:04:01] Francine: mean, the animal can look you in the eye and is like, you know, I don't know, 10 times your body.
[00:04:09] Matt: Yeah,
[00:04:10] Francine: it's not quite that much. We came out of the room and there was this little boy there that was probably, I'm gonna say four or five years old, and my husband was walking him out and of course they love kids and they go walking up towards this little boy and they're like looking him in the eye and he would, the expression on his face was like, oh my.
[00:04:37] Matt: I'm not even a snack for these dogs.
[00:04:41] Francine: No. If you're not a big dog person, you would not like them and they, they don't JUUL a hundred percent of the time, but if there's food or if they're excited, there is Juul and sometimes it's like a water faucet and it's so disgusting. [00:05:00]
[00:05:00] Matt: Just so it's like that movie Beethoven and the Saint Bernard shakes his head, and the
[00:05:05] Francine: 100%
[00:05:06] Matt: Lober flies all over the place.
Ah. And I
[00:05:10] Francine: don't know which one it was, but one of 'em shook their head and it hit me right in the chin. And I'm like, oh my God. I thought I was gagging.
[00:05:18] Matt: Okay, well the. Last episode, we talked about the agro bioterrorist weapon, which is a very uplifting and exciting conversation. And at the end of that I was like, oh, Francine, did you hear about the guy who just got prosecuted for changing the Disney menus?
Maybe we'll bring that up. Yeah. Come on guys. We'll have one more conversation about. Food defense and then we'll go back to some other type of exciting topic like outbreaks in, in cucumbers or something like that.
Oh my gosh. Okay. So [00:06:00] this is crazy. People are crazy. Francine people are absolutely insane. I don't, okay, so just, what was it, April? This guy got prosecuted in Florida. He's a former Disney employee and why we're talking about this is this dude like hacks into, he gets ticked off at Disney, he gets canned from Disney, and then he hacks into Disney menu and starts jacking with the menus after he was fired.
So over the course of three months after he is canned, he hacks into the system and he falsifies information. This the,
[00:06:35] Francine: go ahead. Wait a minute. Do you think he hacked in or did they not change his password? Yeah.
[00:06:41] Matt: Tomato, tomato potato. Was it supposed to be in the system? I doubt there was some, I don't know.
Maybe he had some backdoor thing, but I probably, they didn't change his password or one of his coworkers, he learned a coworker's password or something like [00:07:00] that. That's not that hard to do. Log into somebody else's information. The, if your system isn't designed where you have to have a workstation, then you can just hack in using somebody else's credentials as well.
So it doesn't explain how he got in there. It could have been his previous username password. Generally, companies like Disney tend to shut that down. Or he used somebody else's login credentials or he had some sort of admin credentials and created something. I don't know. We could think of like dozens of ways that he hacked in easily versus hacking in like hard.
But they threw the book at this guy, so he gets three years in prison. He's a 40-year-old dude.
[00:07:52] Francine: Exactly. He is an adult man.
[00:07:56] Matt: He's an adult man.
[00:07:58] Francine: Why? [00:08:00]
[00:08:00] Matt: He was really angry. Franzi. He was obviously not happy with Disney's. I stand
[00:08:07] Francine: being,
but the things that he did went beyond hurting the company. Oh. Some of 'em were, could have definitely and did take aim at the company, but some of them could have killed people.
[00:08:30] Matt: Yes. Yeah. And we'll get into that 'cause that's crazy. But, so the judges gave him his due. He has to pay restitution of $620,000 to Disney and 70 K to an unidentified software company that provides Disney with the menu creation program.
I don't know why he has to pay 70 K to them. What did he do to the software, like maybe he did hack [00:09:00] into the system, like really hacked into it, not using a username password. So for some reason he needs to pay the software provider 70 K. So there's that. But yeah, so this guy, he comes back from maternity leave, so he probably didn't get enough sleep, I'm guessing.
Just had a baby. I understand, bro. I feel you. I have perpetual babies at my house, so yeah, I'm feeling that right now. Now I'm exhausted because I, we have babies and I work full-time and all that stuff. I work more than full-time, but I never have been. When you're exhausted, do you think, how do I spend time?
Hacking into someone else's menu system? No. No. I think maybe I need a nap
[00:09:52] Francine: Sleep.
[00:09:56] Matt: Okay. Well, this guy thinks differently than we do. So he comes back from [00:10:00] maternity leave and he is fired for an unspecified misconduct. So I don't know, maybe he is tired and then he chew his boss out or something like that. I don't know. An investigation with the Federal Bureau of Investigations. So FBI later revealed that beginning around the time and over approximately three months, there were multiple hacks into servers that hosted the menu creation program.
So after this guy gets canned and over the period of three months, he hacks in and he starts jacking with the menu and he so. Those changes to the menu include price cuts or hikes of a few dollars profanities and altering allergens of certain items. So that's why we're talking about this because she jacks with the allergen menu, which to Francine what you were saying, could have killed people or made people very, very sick.
So here's some examples of what he did on a drink called Giddyup, a blend of [00:11:00] vodka, lemonade, and iced tea. He lowered the price for two bucks. He took two ounces off an eight ounce file file, mignon, and in other incidents, this is the profanities, he changed the name of Shellfish to Hell Fish, which, okay, if that was it, we really wouldn't be talking about this.
But then he changes these, the menu, quote unquote, the prosecutor said in a discrete way in which the changes were made. As like likely designed specifically to avoid detection, so like minute changes. Not like he took a steak and then made it all of a sudden 300 bucks or anything like that. He changed it slightly, but then he also changed certain menu items, Bly showing that they were safe for people with allergies to peanuts.
Free nuts, shellfish, and [00:12:00] milk according to his plea agreement. So he legit changed the menu that showed that he did not have allergens when items actually had allergens.
[00:12:14] Francine: So shellfish to hell fish if somebody thought that was just like, let's say a really spicy item instead of actually shellfish. Yeah.
That could be a significant issue because shellfish is an allergen now to remove peanuts from a dish or tree. Nuts from a dish
[00:12:36] Matt: or shellfish for shellfish. People with shellfish allergies,
[00:12:39] Francine: he's playing like rice and roulette with people's lives.
[00:12:42] Matt: Oh, 100%. 100%.
[00:12:46] Francine: What would possess somebody to do that?
[00:12:49] Matt: I think that's where it becomes a big difference.
[00:12:52] Francine: Something not labeling something's bad. Yes. You mean that, but like to go in and intentionally change these items because [00:13:00] you're mad at your employer. Yeah, former employer.
[00:13:06] Matt: Like really mad. This is one of those things where you're like, come on dude. She just had a kid that you care enough about to be on maternity leave, so I assume he didn't take maternity leave.
Just to vacate, right? He was probably helping out his significant other. Take care of this kiddo. Now you're locked up in bars for like three years and you have to pay more than almost a million dollars, more than a half a million dollars enough where, yeah, you're talking over 700 K in fines. This guy's life is altered forever, and if it was, he just changed the menu around added profanities.
Was just jacking around with the pricing. I don't think they would've thrown the book at him as much as they did until they started jacking with allergens, because that's changing it from a bad prank. [00:14:00] This is not a smart thing to do, but it's changing it from a prank to manslaughter. At least
[00:14:06] Francine: nobody died.
[00:14:08] Matt: Nobody died, but the potential for manslaughter to
[00:14:12] Francine: Right.
[00:14:13] Matt: First degree murder, like if that was his, his intent to go in there and mess with the menus to ultimately kill somebody that could be first degree murder.
[00:14:20] Francine: And yeah, I don't think he
[00:14:22] Matt: think he thought that far. I don't think he was. I
[00:14:24] Francine: don't, he just took himself out of the industry.
He's gonna have another career.
[00:14:30] Matt: He took himself out of society for three years.
[00:14:34] Francine: Okay. But when he comes back, I hope he studies while he is there for a new career because he can't work in the industry.
[00:14:44] Matt: It depends on what he was doing with menus. Was he in the food industry or was he more marketing?
[00:14:50] Francine: No, it, it said in the article that he and his employer got in an argument about menu creation.
I believe. It says,
[00:14:59] Matt: yeah. [00:15:00] So, so he was very passionate about his menu creation? Yes. Yeah.
[00:15:05] Francine: He had an argument with a supervisor about menu creation according to the documents. So
[00:15:11] Matt: what type of argument? Okay, so I have to catch myself occasionally 'cause I try to rationalize everything and I tell my kids that rationalizing insanity is actually insane.
You cannot try to rationalize insanity. It just drives you insane, and I think that's what this is like something triggered this dude, he went crazy and everything after that, you just have to chalk up to insanity because something triggered this dude, but I just can't imagine anything triggering me this way that I would spend three months.
[00:15:52] Francine: They had the argument about menu creation. That's what the argument was about, was menu creation. Then he was [00:16:00] fired for probably misconduct, insubordination or whatever. That's why he got fired. So it wasn't about menu creation. He did this because he got fired. He didn't do this because of the menu creation.
He did this because he got fired?
[00:16:15] Matt: Yes.
[00:16:16] Francine: It's not about menu creation. The argument was about menu creation. Then he was fired because of either insubordination, misconduct, whatever he did as a result of that.
[00:16:25] Matt: Totally, and I'm passionate about work, but there's nothing in work that would make me, after getting canned, be like, I'm gonna do everything possible to maliciously hurt this organization.
But obviously there are people out there and we have to protect ourselves from those people. Like in food safety. We have to protect our organizations against people like this that would get upset about anything. Then go and maliciously do something. This is the second time, [00:17:00] right? A couple months ago we had a podcast about the guy who changed the chemicals in the chicken operation, hacked into the system and changed the chemicals.
He wasn't on site, he just hacked in and did it. This is another example of somebody who hacked in, changed the menu, so it gotta love them. They. All those different things that we have to do to make sure that our systems don't get hacked. They're really important. They're a food safety issue,
[00:17:31] Francine: so the software piece of it is a little bit confusing and curious.
It makes me curious that I wonder what their angle is because their software program should have, in my opinion, features. There should be features somewhere to prevent this, not necessarily maybe the software program, but somewhere in that system [00:18:00] there should be security features to prevent this type of thing from happening.
[00:18:08] Matt: I bet they don't even think about that. These are one of those things where it's like an ancillary software that isn't part of QA food safety, but it's something where QA and food safety have to ask questions about this type of stuff because it can touch, it obviously does touch your job, so because they're putting allergens on there.
[00:18:27] Francine: For example, if there's x number of changes made in a variety of different areas within one day and you don't have a password. Or something to, and make these like maybe different passwords to make these var this variety of changes. Then it should send a notification or a trigger to let somebody in executive management know these things are happening.
[00:18:58] Matt: It's hard because, okay, so in [00:19:00] software you can put all these different types of security things in there. It's just. How much do you wanna lock down the system?
[00:19:06] Francine: It's not uncommon to go in and change a bunch of recipes in one day. It's not uncommon to go in and change a bunch of prices in one day. It's not uncommon to go in, change different elements of one segment in one day, but to go in and change multiple items in multiple segments in one day is not common.
You understand what I'm saying?
[00:19:31] Matt: I do. But also at the same time, no, if you're in charge of editing the menu or you're somebody who not in charge of editing the menu, but somebody who gets like a bunch of edits from somebody and then you go and edit the menus, you could edit a whole bunch of stuff, block it out and do a bunch of stuff in one day.
Or you could do little edits over the course of multiple days. You could stop it if you had to be on premise, for instance, to do something. So. In my organization, in order to [00:20:00] get into my database, you have to actually be at the office in order to do that. You can't go in from an outside to do that, and only certain people have access to that.
So we really shut that down big time. But then you can't work from home and access the database. And a lot of organizations have people working from home that they, because they don't have to be on premise in order to do that. It depends on how he got it, but. You're right. If you're trying to figure out how to manage this, like moving forward for companies or people that are listening to the show and you manage food safety, this goes back to that IT thing where we're like love and hate it.
Where there may be, in order to do this, like you have to be on premises in order to change stuff,
[00:20:47] Francine: to change recipes, menu items, prices at multiple restaurants in multiple locations. All this in one day, that just doesn't, not likely. [00:21:00]
[00:21:00] Matt: Yeah. I disagree. I You can, working with so many different softwares
[00:21:06] Francine: now, if they have that one menu item and it's served in six different restaurants, I would imagine that menu item, they don't go into six different restaurants.
Somebody like Disney, Disney doesn't change that. That's probably changed once and it goes to all locations.
[00:21:23] Matt: You know what I mean? One of the things that you could do when you're looking at software that would do something like this is if you're going to change an allergen. You have to be on premise or only certain people can change allergens.
And if someone changes now allergen, you could flag it like certain fields then could be flagged and notified and approved by other people. So you could create software to have multiple authorizations, and that would be a good way of protecting against this. If
[00:21:51] Francine: allergens needed to be altered or changed, then you needed different verification codes or only.
You could only do that from [00:22:00] within the facility.
[00:22:01] Matt: So somebody changes it and then someone from QA or food safety has to sign off on it and approve it. Maybe not to add allergens, but to get rid of allergens 'cause. Right. Although that would decrease sales potentially if someone added an allergen to it.
Nefariously, you wouldn't have the potential. Killing somebody by adding an allergen versus deleting an allergen. Totally could.
[00:22:29] Francine: Like I know some of these menus and a lot of the items that are entered and altered can now be done from a home. That can be done from a home office at one time, had to be done within the unit.
Right now, it can be done from a home office or a main location. I don't know. I don't know. There just has to be.
[00:22:51] Matt: Yeah, well the, and, and this is one of those things that we just need to think about, as in our job in food safety and quality is [00:23:00] a lot of times these type of software decisions are not made by food safety, which is fine, right?
Food safety doesn't have to be a part of a menu. Software, RFP, which food safety should be part of. Signing off on allergens or that type of stuff, like on the menu, and it's something that, that, that shouldn't just be routine, right? Someone's deleting an allergen. You just don't go in and go, oh, I have this thing pop up on the software.
I need to approve it and just approve. If someone's deleting an allergen, this is something to think about, like they could be accidentally doing it or doing it nefariously.
[00:23:42] Francine: So this is one of those situations that's not a problem until it's a problem. And Disney. We both know that Disney runs a very tight ship.
[00:23:49] Matt: Very tight ship.
[00:23:50] Francine: Like they've got one of the best in Yes, probably the world, definitely in the country, probably the world. There's no question that they run a very tight ship. So the fact [00:24:00] that this guy was able to get in there and do something like this just is mind boggling.
[00:24:05] Matt: Yes.
[00:24:06] Francine: So it's no question one of those situations that just.
You just don't think about until it happens. So if they didn't think about it certain that there are a lot of people that listen to our podcast that haven't thought about it, let alone people that aren't listening. And it's something that you know, should be thought about because it could happen anywhere.
[00:24:36] Matt: It could happen anywhere. It could happen anywhere. You and I have both worked and had multiple employees, worked with lots of people, people don't all think the same, and people I would never
[00:24:49] Francine: think to do it wouldn't even enter my mind
[00:24:51] Matt: to go in, into no, that this is a different type of evil. And, uh, who knows, may like what you were saying, like [00:25:00] maybe they weren't in the intent of hurting somebody, but if you're changing allergens, you have to come from under a rock.
A third world country. If you're a 40-year-old living in the United States, working in Florida with last names Schroer, I'm guessing you understand what an allergen is and then what people can do. Like what? What happens to people who consume allergens that have anaphylactic shock? Like
[00:25:29] Francine: I think there's a lot of people out there that believe that food allergens.
Make people sick, like
[00:25:36] Matt: what we were talking about the a couple weeks ago,
[00:25:39] Francine: but they don't necessarily understand the severity of, they may die quickly. That's what I mean. I don't know, and I don't know this individual, I wanna hope that he didn't think, well, somebody could die if I do this and Disney's gonna get sued and whatever.
I, I wanna think that wasn't his thought process. Maybe that's [00:26:00] just me and wanting to see the good.
[00:26:02] Matt: Yeah, which I think is normal. That's
[00:26:05] Francine: the evil.
[00:26:06] Matt: Yeah. But it doesn't matter. He did it and it could happen again to somebody else. And it doesn't have to be somebody who makes like a big scene when they walk out of the office.
Like they could be totally normal. Hey, listen, we have to let you go because you did X, Y, z, blah, blah, blah. Here's the multiple times we talked to you about it and you kept it going. And they could be super quiet and just take it. Absolutely. Like they walk out and you're like, wow. That went way better than I thought.
This guy or gal usually blows up and goes crazy. I can't believe that person could be Then stewing. And then two days later, hack in and do something crazy. So it doesn't have to be the person that blows up when they get fired. It could be someone who just walked out perfectly fine, grabbed their stuff and left.
And then three days later, man, this is where that um, it stuff we talk about where it's like, golly, it's so [00:27:00] hard to do all this new stuff, but they're protecting the company and food safety has to be right there with them. Yeah. Wow. Alright, so next week what? We'll talk about cucumbers and salmonella again, or something like that.
Something a little bit more uplifting. It's
[00:27:17] Francine: outbreak. It could be over by then, but don't break.
[00:27:21] Matt: That's crazy. It's crazy. Alright, well Francine, don't eat
poop.
