Former Employee Breached Company Payroll Data
Before resigning, the employee stole company data and created a "superuser" account that let him access the network after he left.
A former IT administrator in New York was indicted this week for reportedly meddling with his former employer's company network.
According to the office of Manhattan District Attorney Cy Vance, which announced the charges - seven in all - on Wednesday, the employee, Hector Navarro, used to work at the New York department store chain Century 21.
While Century 21 filed for bankruptcy and liquidated its stores in September, the events of this case transpired in October 2019, shortly after Navarro resigned from the company.
According to the DA’s office, Navarro worked a systems administrator and manager for Century 21’s Human Resources Systems and Administration department, rising up from various other roles involving human resources, staffing, timekeeping, and scheduling at the company, per his LinkedIn profile.
Shortly before resigning from the company however, Navarro reportedly stole employee data from the company and created a "superuser" account on its network, something that allowed him to access the network from anywhere after cutting ties with Century 21.
It’s not clear what kind of employee data Navarro stole - it's assumed it was related to the company's payroll but according to Vance, his tampering could have cost the company in excess of $50,000 if left unnoticed.
“If left undetected, this former employee’s alleged tampering could have cost Century 21 more than $50,000,” Vance said in a press release Wednesday. “Unauthorized access to computer networks and the theft of valuable proprietary data are serious threats to the Manhattan business community.”
Navarro went on to use the superuser account from his Brooklyn apartment to tinker with other accounts, delete data on consultants hired to replace him, and make changes to the company's holiday payroll policy "which, if undiscovered, would have paid certain employees for holidays whether they worked on those dates or not."
It's unclear if the company had mechanisms in place to prevent the theft of employee data in the first place. According to the DA’s office, Century 21 didn't discover the breach until consultants hired to replace Navarro discovered they were unable to use the network after he’d deleted data belonging to them, presumably login credentials.
Navarro is being charged with the following:
- Criminal Mischief in the Second Degree, a class D felony, three counts,
- Attempted Grand Larceny in the Second Degree, a class D felony, one count
- Computer Tampering in the Third Degree, a class E felony, three counts
- Computer Trespass, a class E felony, one count
- Unauthorized Use of a Computer, a class A misdemeanor, one count
- Petit Larceny, a class A misdemeanor, one count
- Criminal Possession of Stolen Property in the Fifth Degree, a class A misdemeanor, one count
In many ways the case has all the hallmarks of a hybrid insider threat/privileged access abuse incident. Because he had access to sensitive data and infrastructure, Navarro had the ability to open, move, and steal employee data. It also allowed him to create a superuser account, essentially granting him “God Mode” access across the entire network. While it's impossible to say whether having a solution in place to prevent Navarro's misdeeds would have worked, there's a chance it could have given the company a heads up sooner that something nefarious was afoot.