A Navia breach exposed personal data of nearly 300 HackerOne employees after attackers compromised the benefits provider. HackerOne revealed that a data breach at Navia Benefit Solutions exposed the personal information of nearly 300 of its employees. The incident stems from an attack on the third-party benefits provider, highlighting how breaches at external partners can […] A Navia breach exposed personal data of nearly 300 HackerOne employees after attackers compromised the benefits provider. HackerOne revealed that a data breach at Navia Benefit Solutions exposed the personal information of nearly 300 of its employees. The incident stems from an attack on the third-party benefits provider, highlighting how breaches at external partners can impact even cybersecurity companies and their staff. Last week, Navia Benefit Solutions disclosed a data breach affecting 2,697,540 individuals. The company detected suspicious activity on January 23, 2026 and quickly launched an investigation to assess the incident. Navia Benefit Solutions is a U.S.-based company that provides employee benefits administration services to employers and their staff. Founded in 1989 and headquartered in Washington State, Navia serves thousands of employers across the U.S., offering tools and platforms to help employees manage healthcare and financial benefits more easily. Attackers accessed its systems from December 22, 2025, to January 15, 2026. The company detected suspicious activity on January 23, revealing that sensitive personal data had been exposed during the intrusion. Navia’s notification revealed that exposed data could include name, date of birth, Social Security number, phone number, email address, Health Reimbursement Arrangements (HRAs), Flexible Spending Accounts (FSAs), or Consolidated Omnibus Budget Reconciliation Act (COBRA). Additionally, potentially impacted data points are limited to items such as termination date and election date. No claims or financial data were disclosed. “On January 23, 2026, Navia discovered suspicious activity related to our environment. Navia promptly responded and launched an investigation to confirm the nature and scope of the incident. The investigation determined that an unauthorized actor accessed and acquired certain information between December 22, 2025, and January 15, 2026.” reads the data breach notification. “We conducted a thorough review of the activity to determine which individuals may have been impacted by this event. We are notifying you because that investigation determined certain information related to you was impacted.” Navia confirmed the breach did not expose claims or financial data, but warned that the leaked information could still enable phishing and social engineering attacks. The company reviewed its security measures, improved policies, and notified federal law enforcement. The company offers affected individuals 12 months of free identity protection and credit monitoring from Kroll. HackerOne reported that 287 employees may have been impacted by the Navia data breach, according to a filing with the Maine Attorney General Office. The company said Navia sent a notification dated February 20, but it was only received in March, highlighting a delay in breach disclosure and communication. “At this time, we have been informed that a Broken Object Level Authorization (BOLA) vulnerability led to an unknown actor accessing Navia data between December 22, 2025 and January 15, 2026. On January 23, 2026, Navia became aware of suspicious activity in their environment. Navia sent letters dated February 20, 2026 to impacted companies.” reads the data notification letter shared with the Maine AGO. “The letter was not delivered to HackerOne until March. We have now received confirmation of the data elements that have been impacted. We are still awaiting additional information about the vulnerability that led to this incident, and a satisfactory reason for the delay in their notification to us. Navia has expressed that they will be providing required notifications to impacted individuals. However, we wanted to reach out as soon as possible to let you know about this incident and how you may have been impacted so that you are able to take appropriate safeguards.” The Navia breach exposed HackerOne employee data such as Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, and benefits details (health/non-health participation and enrollment dates). Data for dependents may also be affected. Not all fields were exposed for every individual, and specific impact details will be shared in notifications. HackerOne said it is taking the Navia breach seriously, the company launched its own investigation into the incident, and is working closely with Navia to understand the security breach and improve protections for employee and dependent data. It is also reviewing Navia’s security practices and may consider alternative providers if standards are not met. Navia stated it has no evidence of data misuse so far, though this is a common disclaimer in breach cases. While no stolen data has surfaced publicly, such assurances have proven unreliable in past incidents. “We will undertake our own investigation to assess this incident and are actively communicating with Navia to understand more about how and why this incident occurred and identify immediate areas for improvement to ensure the data of our employees and their dependents is protected.” concludes the notification. “HackerOne will also be evaluating Navia’s privacy and security policies and practices. If we are not satisfied, we will explore other potential options for benefits providers with our broker.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Navia)
Published: 2026-03-25T12:37:14