Need to alert Disney's IT department of MAJOR SECURITY glitch

Status
Not open for further replies.
I'm going to guess they're already aware, but you can certainly call them. Guess everyone handles it differently, but I don't think it's THAT big of a deal. There are worse things than someone being able to see my reservations at WDW.

Our IT requests that everyone report every issue, even if your the 200th report that day. They said those data points are extremely useful for helping hem track down the issue and fix it. Some errors are insanely specific- ex I had an issue with hyperlinks not working on half the group’s computers but worked perfectly on the other half. Checked people’s settings, versions all that- identical. Finally figured out that people who had problem were people who had never changed default browser. If at any time you changed default browser and then changed it back, the links worked correctly. Finding those weird little things can be a challenge so having as many data points as possible is good. The frequency of error rate also changes where in the que it is- if we have one person complaining, it stays at the bottom. A few thousand, it gets a team assigned. So, always call in. ;)
 
This chilled me to the bone. This is the first time I experience something like that with the application. Disney's IT have to deploy software patches immediately. The fact that my family's information is not secured and can be exposed is unsettling.

This is more than a bit dramatic, don't you think? This has happened to me a few times. I never even gave it a second thought. Just log out and back in and everything is fine. You can't make any changes without re entering your login info anyway, which is probably due to this very type of occurrence.
 
I don't know if they could, since Disney annoyingly seems to make you log in again whenever you try to do anything on their site. (I only walked away for FIVE minutes! Why is my session expired???)
This and every time anything is changed through MDE you get an instant email to alert you to the change that has been made. So if an email shows up announcing a change to a reservation or whatever, and you know you didn't make one, then you call Disney and get it straightened out.

I don't think credit card info would be easy to get, but that's an easy fix too.
 
Thank you all who added their perspective. Everyone's opinions (and reactions) are valid. For those who thought I overreacted, since I didn't click on any of the reservations links, fast passes or dining links or ANY links on that family's reservation, I didn't experience the "log back in" message which is why I freaked out. I wasn't going to click since those weren't my reservations. Obviously, if I had and I had gotten the "log back in" message I wouldn't have felt so uneasy. But I did what I hope if someone else gets my family's page, would do, log out and log back in. Since that didn't happen, I did worry about what could potentially happen if someone had gotten hold of my information. And I mean, all of it, credit cards, personal information, etc. Again, I don't know how deep I could have gotten with that family's profile. All of that is valid. Now, I did report the glitch because it is indeed, a security and personal information malfunction, that needs to be rectified. So, here's to hoping there is truly nothing else being shared, while they fix the bug, but balances on resorts stays, where you and your family are staying at and with whom, where you plan to be dining at and if you got the ever elusive Slinky Dog Dash fast pass.
 


Thank you all who added their perspective. Everyone's opinions (and reactions) are valid. For those who thought I overreacted, since I didn't click on any of the reservations links, fast passes or dining links or ANY links on that family's reservation, I didn't experience the "log back in" message which is why I freaked out. I wasn't going to click since those weren't my reservations. Obviously, if I had and I had gotten the "log back in" message I wouldn't have felt so uneasy. But I did what I hope if someone else gets my family's page, would do, log out and log back in. Since that didn't happen, I did worry about what could potentially happen if someone had gotten hold of my information. And I mean, all of it, credit cards, personal information, etc. Again, I don't know how deep I could have gotten with that family's profile. All of that is valid. Now, I did report the glitch because it is indeed, a security and personal information malfunction, that needs to be rectified. So, here's to hoping there is truly nothing else being shared, while they fix the bug, but balances on resorts stays, where you and your family are staying at and with whom, where you plan to be dining at and if you got the ever elusive Slinky Dog Dash fast pass.

I'm glad you reported the glitch! That was definitely the responsible thing to do. Did you get to speak to an actual cast member?

While you're correct that it is certainly a security breach, I do think it's a minor one. "Balances on resort stays..." Everyone pays something similar. "Where you and your family are staying..." In a resort with hundreds of other families. They can't, fortunately, see your room number. "With whom..." Even if you have a very unique name, it'd still be extremely difficult to find you. The staff do not hand out room numbers and contact info, even to strangers who have a name and date of stay. "Where you plan to be dining at..." In a large restaurant with lots of other families. "And if you got the ever elusive Slinky Dog Dash fastpass." Happily, it's not as if they can find you - one person out of thousands in the park, who may be riding Slinky Dog at some point during a one hour window - and mug you for it. :D

(I've got TWO Slinky Dog fastpasses! :dogdance:)
 
You assume Disney’s IT cares?

I'll take that as a reasonable question and answer that I assume they care. They're not evil people. They just have a monumental task of keeping a website running with features that were stunningly ambitious, and never done before on this scale. And with tens of thousands of people at Disney World every day, they can never take it offline. And they're tasked by the needs of an ambitious business to keep growing the site -- which introduces new bugs, many of which can't be anticipated in testing environments. It's like trying to build a second deck on an airplane while it's still flying. Software development is very hard on this scale, which I would've never known until I got a taste of it at another company.

When it works, My Disney Experience is an absolute marvel on what they pulled off -- but in a way that the average user is not meant to ever understand or appreciate. When it doesn't work, it can create stress and frustration, and terrible inconvenience for people who are supposed to be on vacation and having a relaxing fun time. I'm in no way excusing problems in user experience, site reliability, and especially not site security. Criticism is absolutely valid. But I don't think they are callous or foolish or even stupid people (as some people have suggested in these forums).
 


I'll take that as a reasonable question and answer that I assume they care. They're not evil people. They just have a monumental task of keeping a website running with features that were stunningly ambitious, and never done before on this scale. And with tens of thousands of people at Disney World every day, they can never take it offline. And they're tasked by the needs of an ambitious business to keep growing the site -- which introduces new bugs, many of which can't be anticipated in testing environments. It's like trying to build a second deck on an airplane while it's still flying. Software development is very hard on this scale, which I would've never known until I got a taste of it at another company.

When it works, My Disney Experience is an absolute marvel on what they pulled off -- but in a way that the average user is not meant to ever understand or appreciate. When it doesn't work, it can create stress and frustration, and terrible inconvenience for people who are supposed to be on vacation and having a relaxing fun time. I'm in no way excusing problems in user experience, site reliability, and especially not site security. Criticism is absolutely valid. But I don't think they are callous or foolish or even stupid people (as some people have suggested in these forums).

I can't hit the "like" button enough. So very well said. You give it more credit than I do to say it's a reasonable question when there's the flippant comment of "You assume Disney IT cares". See comments like that a lot here. Personally, I think that's just silly. You're comments on how complicated MDE is (I don't work in IT, but I can only imagine) and how difficult of a task it must be are spot on. Yep, it's frustrating when it's down or not working exactly right. But I think it's amazing on the grand scheme.
 
I can't hit the "like" button enough. So very well said. You give it more credit than I do to say it's a reasonable question when there's the flippant comment of "You assume Disney IT cares". See comments like that a lot here. Personally, I think that's just silly. You're comments on how complicated MDE is (I don't work in IT, but I can only imagine) and how difficult of a task it must be are spot on. Yep, it's frustrating when it's down or not working exactly right. But I think it's amazing on the grand scheme.

My husband is a senior civil servant in the Canadian gov't. Phoenix was the new payroll program, and... "glitch" isn't strong enough. "Ongoing catastrophe" may be a better description. It's affected almost all departments and has been in the news a lot. So, I've heard a lot of very cranky comments about civil servants and IT, from people who have no idea how hard these folks are working to try to fix things, and how deeply they care about the way things are going. And how frustrated many of them are with the circumstances that led to the current situation. I assume Disney's IT department is made up of similar people.

So when I read, "You assume Disney's IT cares?" my first thought was, "Don't you care about YOUR job?" And then I thought, uncharitably, "Well, maybe they don't. Maybe they're projecting." :laughing: Which is when I thought I should probably not post a direct reply.

Every department has its share of people who care, and people who don't care. But, by and large, the vast majority of people actually want to do their jobs and get things up and running smoothly. As a previous poster wrote in this thread...

Our IT requests that everyone report every issue, even if your the 200th report that day. They said those data points are extremely useful for helping hem track down the issue and fix it. Some errors are insanely specific- ex I had an issue with hyperlinks not working on half the group’s computers but worked perfectly on the other half. Checked people’s settings, versions all that- identical. Finally figured out that people who had problem were people who had never changed default browser. If at any time you changed default browser and then changed it back, the links worked correctly. Finding those weird little things can be a challenge so having as many data points as possible is good. The frequency of error rate also changes where in the queue it is- if we have one person complaining, it stays at the bottom. A few thousand, it gets a team assigned. So, always call in. ;)

That's how IT works!
 
This is what happens when a major company fires HUNDREDS of American IT workers and then literally forces them to stay to train their foreign replacements (making pennies on the dollar) or they don’t get their severance package. In IT, as in most things, you get what you pay for. Now you see why Disney IT is a hot mess.

Since I’m not allowed to post links, here’s the story of how this IT downfall began in 2016. I encourage you to research for yourselves.

————————————
Disney 'forced 250 of its American IT workers to train up the Indian workers who replaced them'

Walt Disney Parks and Resorts is being sued by 30 former IT staff from its Florida offices who claim they were unfairly replaced by foreign workers - but only after being forced to train them up.

The suit, filed Monday in an Orlando court, alleges that Disney laid off 250 of its US IT staff because it wanted to replace them with staff from India, who were hired in on H-1B foreign employee visas.
 
The lawsuit was thrown out by the judge who decided that there waa no harm caused as most of the previous employees found work at Disney.
 
This is what happens when a major company fires HUNDREDS of American IT workers and then literally forces them to stay to train their foreign replacements (making pennies on the dollar) or they don’t get their severance package. In IT, as in most things, you get what you pay for. Now you see why Disney IT is a hot mess.

While I have sympathy for people struggling with the website (and I'm probably jinxing myself here), I don't think I would describe it as a "hot mess".

In fact, except for some happily short-lived frustration when I was trying to book fastpasses along with everyone else last Tuesday morning and the site kept crashing, I have really not had any issues with the Disney site. I find it easy to navigate and simple to understand. Generally, everything works as it should. Even last Tuesday, though it took an extra hour before I could get in, I did end up with all the Fastpasses I wanted, at the times I wanted. I have had a much harder time getting tickets online for local concerts and festivals, than I did getting fastpasses. (And I've dealt with some awful websites for local festivals, designed by local talent!)

Also, I was pleasantly surprised to discover that - for the first time ever! - my Holiday sleigh ride is listed on my plans page. In years past, tours and special activities were never listed, and it was always a bit worrying, wondering if you were actually signed up. You wouldn't even get a confirmation e-mail! So I would carefully write down my confirmation number and cross my fingers.

Could Disney IT do better? Of course! If you're having issues, complain! But, all in all, I do think they're doing a decently good job. As a non-American myself, with a mother who has lived and taught overseas, I have no difficulty believing foreign workers can be quite competent at our jobs. ;)
 
Let’s assume someone accesses my account but the usual safeguards are in place. That someone can’t see/edit my full credit card number but they can see the last 4, expiration date, and my name as it appears on the card. That’s a lot of information for someone who knows how to use it.

Still assuming the usual safeguards are in place, that someone can still change my ADRs, FP+, itineraries, etc. IMHO, that’s a big deal.

Now let’s talk about the elephant in the room. Those usual safeguards clearly are NOT in place. If someone can access my account like that how can we really be sure the rest of the safeguards will always work as expected?

Additionally, if a hacker get’s wind of this, that same said hacker could possibly find and exploit the security hole that allowed this to happen in the first place...then our full card numbers could wind up out in the open.

I don't care what anyone says. This is a serious security hole with potentially serious implications.

ETA, I deleted my credit card info just be safe.

Mike
 
Last edited:
This is what happens when a major company fires HUNDREDS of American IT workers and then literally forces them to stay to train their foreign replacements (making pennies on the dollar) or they don’t get their severance package. In IT, as in most things, you get what you pay for. Now you see why Disney IT is a hot mess.

Since I’m not allowed to post links, here’s the story of how this IT downfall began in 2016. I encourage you to research for yourselves.

The IT downfall happened long before 2016. It's always been a mess with Disney. It's easy to blame foreign workers but it really comes down to unwillingness to spend money on application development. I work for a large company and we outsource a lot. Hate to say it because I think Americans should have the jobs, but the people from India are very dedicated and in my experience rarely make mistakes. They are devastated with a minor error. It's a prestigious position over there. Having been there myself, the alternatives are not pretty, they have to do a good job. It's hard to make a case to bring jobs back.
 
The IT downfall happened long before 2016. It's always been a mess with Disney. It's easy to blame foreign workers but it really comes down to unwillingness to spend money on application development. I work for a large company and we outsource a lot. Hate to say it because I think Americans should have the jobs, but the people from India are very dedicated and in my experience rarely make mistakes. They are devastated with a minor error. It's a prestigious position over there. Having been there myself, the alternatives are not pretty, they have to do a good job. It's hard to make a case to bring jobs back.
Interesting. Thanks for sharing.
 
You assume Disney’s IT cares?


I do not assume they care. I believe they care. Every call I have made has been responded to with respect. I know the differences between someone just going through the motion and someone who is invested in making a correction. I find it odd that people assume that other people do not have the same interest and pride in their work as they themselves do.

I'll take that as a reasonable question and answer that I assume they care. They're not evil people. They just have a monumental task of keeping a website running with features that were stunningly ambitious, and never done before on this scale. And with tens of thousands of people at Disney World every day, they can never take it offline. And they're tasked by the needs of an ambitious business to keep growing the site -- which introduces new bugs, many of which can't be anticipated in testing environments. It's like trying to build a second deck on an airplane while it's still flying. Software development is very hard on this scale, which I would've never known until I got a taste of it at another company.

When it works, My Disney Experience is an absolute marvel on what they pulled off -- but in a way that the average user is not meant to ever understand or appreciate. When it doesn't work, it can create stress and frustration, and terrible inconvenience for people who are supposed to be on vacation and having a relaxing fun time. I'm in no way excusing problems in user experience, site reliability, and especially not site security. Criticism is absolutely valid. But I don't think they are callous or foolish or even stupid people (as some people have suggested in these forums).

Well stated. I am not going to say I have not been frustrated and a bit stressed as this new website comes to life, and I sure will not even pretend to know how this behind the scenes technology works, but I am impressed. My oldest son is part of a team who builds "stuff" for his company, and is often tasked with projects that are impossible to complete with the constraints he and his vastly reduced team are expected to work with. That teams work ethic is impeccable, But I imagine that there are times their expertise was called into question when their product was rolled out with glitches they were not able to avoid because the people who ultimately determine the timeline had the final say. I have to believe the same holds true for the IT folks tasked with all the changes in MDE.

@Magpie - I have been frustrated with all of the changes in MDE. I am booking FP for my crew soon and the tickets were a mess. The magic bands come and go, but I am not concerned with that, because I can always buy them there, but my FP? With north of $14,000 already invested in this trip, a newbie along who has never been and looking forward to her first trip, and my DH who very seldom joins the crew being the one whose ticket was gone, I found MDE a very hot mess. I finally got my ticket situation corrected, and now my Memory maker is gone. SO for me, as much as I am confident that eventually the site will be much improved, I am frustrated that I cannot get my trip sorted out.
 
I don't know if they could, since Disney annoyingly seems to make you log in again whenever you try to do anything on their site. (I only walked away for FIVE minutes! Why is my session expired???)

But even if they could... Why would they?

If you opened up a page to see someone else's plans listed, would you immediately emit a villainous laugh and start trying to cancel their reservations? I know I wouldn't. I'd do what anyone else would do... comment, "Oh, that's weird," and log out and log in again, looking for MY plans. Then I'd fire a note off to Disney about it, with all the relevant details (browser type, computer, time, etc).
I’m guessing most people aren’t trying to deliberately delete other peoples’ vacation plans. But my DS14 (who is arguably more tech savvy than 75% of the general population) accidentally deleted all my phone contacts after R when our phones got linked up after we added a new device. I’m not saying that could happen here, but I am saying I’m not sure most people would just log out and back in—some might try to cancel (on their own, without calling Disney first) if they thought someone had made reservations in their name. And I also can see Disney NOT replacing FP if that happened, if whatever CS person happened to answer the call didn’t believe such a thing was possible. (I’ve been told recently that a couple of glitches weren’t possible after they happened to me...and we all know that issue recovery is highly variable anyway). That’s why, like so many PP have said, it’s still always important to report issues—100 cases might stay within the IT group, but 1000 or 10,000 may get the word out to the rest of customer service.
 
I’m guessing most people aren’t trying to deliberately delete other peoples’ vacation plans. But my DS14 (who is arguably more tech savvy than 75% of the general population) accidentally deleted all my phone contacts after R when our phones got linked up after we added a new device. I’m not saying that could happen here, but I am saying I’m not sure most people would just log out and back in—some might try to cancel (on their own, without calling Disney first) if they thought someone had made reservations in their name. And I also can see Disney NOT replacing FP if that happened, if whatever CS person happened to answer the call didn’t believe such a thing was possible. (I’ve been told recently that a couple of glitches weren’t possible after they happened to me...and we all know that issue recovery is highly variable anyway). That’s why, like so many PP have said, it’s still always important to report issues—100 cases might stay within the IT group, but 1000 or 10,000 may get the word out to the rest of customer service.

Could not agree more. Thanks.
 
Let’s assume someone accesses my account but the usual safeguards are in place. That someone can’t see/edit my full credit card number but they can see the last 4, expiration date, and my name as it appears on the card. That’s a lot of information for someone who knows how to use it.

Still assuming the usual safeguards are in place, that someone can still change my ADRs, FP+, itineraries, etc. IMHO, that’s a big deal.

Now let’s talk about the elephant in the room. Those usual safeguards clearly are NOT in place. If someone can access my account like that how can we really be sure the rest of the safeguards will always work as expected?

Additionally, if a hacker get’s wind of this, that same said hacker could possibly find and exploit the security hole that allowed this to happen in the first place...then our full card numbers could wind up out in the open.

I don't care what anyone says. This is a serious security hole with potentially serious implications.

ETA, I deleted my credit card info just be safe.

Mike
Exactly. When major retailers have a security breach involving credit card info it is ALL OVER the news. Customers are contacted that their credit card info *may* have been compromised and advised how to move forward. If this is happening on an ongoing basis with Disney, why isn't it a major news story? And why are those of us with MDE accounts not being informed by Disney that glitches are occurring and to please delete our card info to be on the safe side?
 
Status
Not open for further replies.

GET A DISNEY VACATION QUOTE

Dreams Unlimited Travel is committed to providing you with the very best vacation planning experience possible. Our Vacation Planners are experts and will share their honest advice to help you have a magical vacation.

Let us help you with your next Disney Vacation!






Top