Software Programmer Pleads Guilty To Hacking Into Network Of Long Island High-Voltage Power Manufacturer
Defendant, A Disgruntled Insider, Harvested Login Credentials Of Fellow Employees Before Resigning And Launching Digital Retaliation Campaign
Earlier today in the federal courthouse in Central Islip, New York, Michael Meneses, a software programmer who formerly resided in Smithtown, Long Island, pleaded guilty to hacking into the computer network of a Long Island-based company that manufactures high-voltage power supplies. Today’s guilty plea proceeding took place before the Honorable Joseph F. Bianco, United States District Judge, Eastern District of New York.
The guilty plea was announced by Loretta E. Lynch, United States Attorney for the Eastern District of New York, and Diego G. Rodriguez, Assistant Director-in-Charge, Federal Bureau of Investigation (FBI), New York Field Office.
“The defendant used his programming knowledge to hack into the computer network of his former employer and launch a campaign of digital retaliation,” stated United States Attorney Lynch. “The threat posed by disgruntled and former employees is serious, and we will continue to work closely with our law enforcement and private sector partners to vigorously prosecute insider attacks.” Ms. Lynch expressed her grateful appreciation to the FBI, the agency that led the government’s investigation.
According to court filings and facts presented at the plea hearing, the defendant was employed at the victim company from May 2008 through January 2012 as a software programmer and system manager. In that capacity, he developed and customized software that the company used to run its business operations, including its purchasing, inventory control, production planning, production, accounting, and sales. The defendant’s responsibilities gave him high-level access to the company’s computer network.
In December 2011, the defendant, who had voiced displeasure at having been passed over for promotions, tendered his resignation from the victim company and gave two weeks’ notice. Prior to tendering his resignation, the defendant created an unauthorized computer program that harvested the user logins and passwords of fellow company employees. Following termination of his network access, the defendant used the login credentials to remotely access the network from his home and from a hotel located near his new employer. In the weeks that followed, the defendant used these credentials to launch a campaign to inflict damage on his former employer by gaining unauthorized access to its network and sabotaging its business. For example:
The defendant deleted a line of code in a software program that the victim company used to calculate work order costs, leading the company to incorrectly calculate these costs.
The defendant remotely accessed the victim company’s network, read an email sent by his former supervisor to one of his former colleagues about a candidate for the defendant’s former position, created the email address “firstname.lastname@example.org,” and sent the candidate a message that stated, “Don't accept any position from [the victim company].”
The defendant gained unauthorized access to the victim company’s network and modified a database so it would appear to be March 2012 rather than February 2012. As a result, the company was unable to process routine transactions.
The defendant remotely accessed the victim company’s network and manually purged a purchase order table, which prevented the company from converting purchase requisitions to purchase orders.
The victim company incurred significant costs in investigating and remediating the damage caused by the defendant’s unauthorized access to its computer network.
When sentenced on July 7, 2015, the defendant faces up to 10 years in prison, as well as restitution and a fine.
The government’s case is being prosecuted by Assistant United States Attorneys Douglas M. Pravda and Charles N. Rose.
E.D.N.Y. Docket No. 13-CR-321 (JFB)