A Hungarian citizen pleaded guilty today to intentionally causing damage by transmitting a malicious code to Marriott International Corporation computers and to threatening to reveal confidential information obtained from the company’s computers if Marriott did not offer him a job.
Assistant Attorney General Lanny A. Breuer of the Justice Department’s Criminal Division announced the guilty plea with U.S. Attorney for the District of Maryland Rod J. Rosenstein and Special Agent in Charge David Beach of the U.S. Secret Service, Washington Field Office.
According to the plea agreement, Attila Nemeth, 26, admitted that on Nov. 11, 2010, he sent an initial email to Marriott personnel, informing them that he had been accessing Marriott’s computers for months and had obtained proprietary information. Nemeth threatened to reveal this information if Marriott did not give him a job maintaining the company’s computers.
On Nov. 13, 2010, after receiving no response from Marriott, Nemeth sent another email containing eight attachments as proof of the intrusion and acquisition of their files. These documents included financial documentation and other confidential and proprietary information. Nemeth admitted that he had gained access to their system through an infected email attachment sent to specific Marriott employees.
On Nov. 18, 2010, Marriott created the identity of a fictitious Marriott employee for the use by the U.S. Secret Service in an undercover operation to communicate with Nemeth. Nemeth, believing he was communicating with Marriott human resources personnel, continued to call and email the undercover agent, and demanded a job with Marriott in order to prevent the public release of the Marriott documents. Nemeth emailed a copy of his Hungarian passport as identification and offered to travel to the United States.
On Jan. 17, 2011, Nemeth arrived at Washington Dulles Airport on a ticket purchased by Marriott, for an “employment interview.” The “interview” was conducted by a Secret Service agent assuming the role of the Marriott employee with whom Nemeth believed he had been communicating. During the course of the “interview,” Nemeth admitted that he accessed Marriott’s computer systems; stole Marriott’s confidential and proprietary information; and initiated the emails to Marriott threatening to publicly release Marriott’s data unless he was given a job on his terms by Marriott. To further prove his identity as the perpetrator, Nemeth demonstrated exactly how he accessed the Marriott network; his continued ability to access the Marriott network; and the location of the stolen Marriott proprietary data on a computer server located in Hungary.
The intrusion resulted in Marriott engaging more than 100 of its employees in a thorough search of its network to determine the scope of the compromise and to identify the data that may have been compromised. The loss to Marriott as a result of the intentional damage caused by Nemeth is between $400,000 and $1 million dollars in salaries, consultant expenses and other costs.
Nemeth faces a maximum penalty of 10 years in prison for the transmission of the malicious code and a maximum of five years in prison for threatening to expose confidential and proprietary information if Marriott did not give him a job.
Sentencing is scheduled for Feb. 3, 2012, at 11 a.m. Nemeth remains detained.