On November 23, 2011, Attila Nemeth, 26, a Hungarian citizen, pleaded guilty in federal court in the District of Maryland to intentionally causing damage by transmitting a malicious code to Marriott International Corporation computers and to threatening to reveal confidential information obtained from the company's computers if Marriott did not offer him a job.
As titillating an opening sentence as that is, you really have to read this bizarre scheme. Let's go back about a year ago to pick up the trail.
According to Nemeth's plea agreement, on Nov. 11, 2010, he sent an initial email to Marriott personnel, advising that he had been accessing Marriott's computers for months and had obtained proprietary information.
Okay, so he hacked into the company's computers. Frankly, that's upsetting but not particularly unusual. What does make Nemeth stand out is that rather than engage in the droll extortion demand for money, he threatened to reveal Marriott's confidential information unless the company gave him a job maintaining its computers.
Hey, Attila (if you don't mind me calling you by your first name), ummmm . . . you sort of need to get out a bit more, maybe cut down on the 24/7 staring at your computer screen in a darkened room. You're hacking into Marriott and your plan is to ask for a job maintaining their computers? Did you really, really think this one through?
On Nov. 13, 2010, after receiving no response from Marriott, Nemeth sent another email to his corporate victim. This email contained eight attachments, seven of which were documents on Marriott's computer system showing financial, confidential, and proprietary information.
SIDE BAR: You read it all the time. Probably, it's even happened to you - it's happened to me.
How did our budding computer hacker extortioner gain entrance to Marriot's inner sanctum? Sadly, not particularly cleverly: He sent an infected email attachment to targeted Marriott employees. Probably, against god only knows how many warnings and memo, some of those Marriott folks clicked on the attachment - thus installing malicious software on the company's computer system. Using the now open "backdoor," Nemeth accessed proprietary email and other files.
Now back to the online cat and mouse game - on Nov. 18, 2010, Marriott created the identity of a fictitious Marriott employee, which would be used by the U.S. Secret Service in an undercover sting operation aimed at flushing out Nemeth. The ruse seemed to have worked because Nemeth believed that he was communicating with Marriott human resources personnel.
To some extent, Marriott was relatively lucky that Nemeth hadn't asked to communicate with its Chief Financial Officer - the extortion could easily have been for millions of dollars. For whatever reason, our Hungarian hacker seems to have just wanted a job - albeit he had a most unconventional concept of a resume and the entire interview process. Nemeth continued to call and email the fabricated employee (a/k/a the Secret Service Agent) and demanded a job with Marriott. Well, okay, it was a bit more than a persistent request of a job, Nemeth threatened to release the Marriott documents attached to his earlier email if he wasn't hired.
As quirky as this extortion plot was, it even gets more weird.
Nemeth emailed a copy of his Hungarian passport as identification. Yeah, sort of like the bank robber who left the teller with his name and phone number in the event any jobs opened up - that was a real case too. And,yeah, they caught that idiot also.
Oh, one other thing, in addition to disclosing his identity through his passport, Nemeth also offered to travel to the United States. I guess he thought that he could seal the whole interview thing in person and land the job of his dreams at Marriott.
So, our man with a plan arrives on Jan. 17, 2011, at WashingtonDulles Airport. How did he get there? The good folks at Marriott purchased the airline ticket so that the job candidate could appear for an in-person employment interview. How generous of Marriott - I wonder if they also threw in some frequent flyer benefits or a free room upgrade. Ya gotta love it!
What I thought was a nice touch is that rather than cuff him at Dulles, the Secret Service agent with whom Nemeth was communicating via email actually conducted a job interview . Ever eager to make a winning impression, Nemeth admitted to the bogus Marriott employee/Secret Service agent that he had illegally accessed Marriott's computer systems; stolen confidential and proprietary information; and sent the extortionate emails. A particularly nice touch was when Nemeth demonstrated to the undercover agent exactly how he accessed the Marriott network - which was accomplished through a computer server located in Hungary.
SIDE BAR: Federal prosecutors alleged that Nemeth's security breach required Marriott to engage over 100 of its employees to determine the extent of the compromise of its computers and to identify the compromised data, costing $400,000 and $1 million dollars in salaries, consultant expenses and other costs.
Nemeth faces a maximum penalty of 10 years in prison for transmitting malicious code, and five years for threatening to expose confidential and proprietary information Sentencing is scheduled for Feb. 2012, during which time Nemeth will remain detained.