Cyber Threat Actor: Hector Navarro
| Actor Type | Location | Known Incidents |
Insider - Disgruntled
|
United States of America
|
1 incident |
|---|
Profile
Hector Navarro, alsoknown by the alias Hector Navarro, is a former human resources systems administrator who operated from the United States, specifically residing in Brooklyn while employed at Century 21’s Manhattan department store. In October 2019, prior to his resignation, Navarro created an unauthorized “superuser” account on the company’s network and subsequently used it from his personal apartment to access Century 21 systems after leaving the organization. He stole employee data, deleted information related to consultants hired to replace him, and altered the company’s holiday payroll policy in a manner that could have resulted in erroneous payments exceeding $50,000 if undetected. The breach was discovered when replacement consultants encountered access problems, prompting Century 21 to invest significant resources to reverse the unauthorized changes and restore normal operations. Navarro was later indicted by the Manhattan District Attorney’s Office on charges including attempted grand larceny in the second degree, computer tampering in the third degree, computer trespass, and petit larceny, reflecting the financial and disruptive nature of his actions.
The incident demonstrates Navarro’s targeting of the real estate sector through its human resources and timekeeping systems, with a geographic focus on New York City. His strategic objectives were explicitly financial, as evidenced by the attempted grand larceny charge and the manipulation of payroll policies intended to generate illicit funds, and disruptive, shown by the deletion of consultant access data that hindered business continuity. The tactics, techniques, and procedures observed in this case involve the abuse of legitimate administrative credentials, the creation of a hidden superuser account as a persistence mechanism, insider‑initiated account tampering, and the modification of internal policy configurations; no malware families, external initial access vectors, or specialized tooling were reported. No public attribution links Navarro to a state sponsor, criminal consortium, or broader affiliate network, and the case is treated as an individual insider threat. The Century 21 compromise remains the sole publicly documented operation associated with this actor, serving as a representative example of how privileged insider access can be exploited for both monetary gain and operational sabotage.
