Navia Benefit Solutions reports data exposure impacting 2.7 million individuals
Summary
Hide ▲
Show ▼
Navia Benefit Solutions confirmed a data breach affecting approximately 2.7 million individuals, with unauthorized access occurring between December 22, 2025, and January 15, 2026. The breach was attributed to a Broken Object Level Authorization (BOLA) vulnerability, and the exposed data includes full names, dates of birth, Social Security Numbers, phone numbers, email addresses, and enrollment details for HRA, FSA, and COBRA programs. No claims or financial information was exposed, but the incident heightened risks of phishing and identity theft. The breach also impacted HackerOne, a bug bounty platform, exposing sensitive data for 287 employees and their dependents, including Social Security numbers, addresses, and plan enrollment details. Navia notified law enforcement, offered 12 months of identity protection services, and sent letters to impacted companies on February 20, 2026. The incident has not been attributed to a specific cybercrime group or ransomware operation.
Timeline
-
19.03.2026 22:43 2 articles · 5d ago
Navia Benefit Solutions identifies prolonged unauthorized access affecting 2.7 million individuals
Unauthorized access to Navia’s systems occurred from December 22, 2025, to January 15, 2026, attributed to a Broken Object Level Authorization (BOLA) vulnerability. Suspicious activity was detected on January 23, 2026, and Navia became aware of the breach. Exposed data includes full names, dates of birth, Social Security Numbers, contact details, enrollment information for HRA, FSA, and COBRA programs, and additional details for dependents of affected individuals. No claims or financial data was compromised. Navia notified law enforcement, offered 12 months of identity protection services via Kroll, and sent letters to impacted companies on February 20, 2026. The incident heightens risks of phishing and identity theft targeting affected individuals.
Show sources
- Navia discloses data breach impacting 2.7 million people — www.bleepingcomputer.com — 19.03.2026 22:43
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
Information Snippets
-
Unauthorized actor maintained access to Navia’s systems from December 22, 2025, to January 15, 2026.
First reported: 19.03.2026 22:431 source, 2 articlesShow sources
- Navia discloses data breach impacting 2.7 million people — www.bleepingcomputer.com — 19.03.2026 22:43
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
Breach discovery occurred on January 23, 2026, following detection of suspicious activity.
First reported: 19.03.2026 22:431 source, 2 articlesShow sources
- Navia discloses data breach impacting 2.7 million people — www.bleepingcomputer.com — 19.03.2026 22:43
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
Exposed data includes full name, date of birth, Social Security Number, phone number, email address, and enrollment details for HRA, FSA, and COBRA programs.
First reported: 19.03.2026 22:431 source, 1 articleShow sources
- Navia discloses data breach impacting 2.7 million people — www.bleepingcomputer.com — 19.03.2026 22:43
-
Navia states no claims or financial information was exposed in the incident.
First reported: 19.03.2026 22:431 source, 2 articlesShow sources
- Navia discloses data breach impacting 2.7 million people — www.bleepingcomputer.com — 19.03.2026 22:43
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
Navia is a U.S.-based administrator of benefits serving over 10,000 employers, specializing in FSA, HSA, HRA, commuter benefits, COBRA services, and related compliance offerings.
First reported: 19.03.2026 22:431 source, 1 articleShow sources
- Navia discloses data breach impacting 2.7 million people — www.bleepingcomputer.com — 19.03.2026 22:43
-
HackerOne, a bug bounty platform, disclosed an employee data breach involving 287 individuals after attackers compromised Navia Benefit Solutions.
First reported: 24.03.2026 16:011 source, 1 articleShow sources
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
The breach at Navia was attributed to a Broken Object Level Authorization (BOLA) vulnerability exploited between December 22, 2025, and January 15, 2026.
First reported: 24.03.2026 16:011 source, 1 articleShow sources
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
Exposed data for HackerOne employees included Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for employees and their dependents.
First reported: 24.03.2026 16:011 source, 1 articleShow sources
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
HackerOne notified affected employees via a filing with the Office of the Maine Attorney General and sent letters dated February 20, 2026, to impacted companies.
First reported: 24.03.2026 16:011 source, 1 articleShow sources
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
-
Navia’s February 20, 2026 letters to impacted companies confirmed the breach scope and provided identity protection services.
First reported: 24.03.2026 16:011 source, 1 articleShow sources
- HackerOne discloses employee data breach after Navia hack — www.bleepingcomputer.com — 24.03.2026 16:01
Similar Happenings
TriZetto Healthcare Data Breach Exposes 3.4 Million Patient Records
TriZetto Provider Solutions, a healthcare IT company under Cognizant, suffered a data breach that exposed sensitive health data of over 3.4 million individuals. The breach began on November 19, 2024, and was detected on October 2, 2025. The exposed data includes names, addresses, Social Security numbers, and health insurance details. Affected providers were notified in December 2025, and customer notifications started in February 2026. TriZetto has enhanced its cybersecurity measures and offered free credit monitoring services to affected individuals. No financial data was compromised, and no misuse of the data has been reported. The breach was discovered in a web portal used by some of its healthcare provider customers, and TriZetto's platform is certified to SOC 2, EHNAC, and HITRUST.
700Credit Data Breach Exposes 5.8 Million Records via Compromised API
700Credit, a major credit report and identity verification service, disclosed a data breach affecting 5,836,521 individuals. The breach, linked to a compromised third-party API, occurred between May and October 2025. Hackers accessed personal information, including names, addresses, dates of birth, and Social Security numbers, through a partner's system compromised in July 2025. The incident was contained to the 700Dealer.com application layer, and the company is offering affected individuals 12 months of free credit monitoring and identity restoration services. 700Credit began notifying impacted dealership clients on November 21 and will notify affected individuals starting December 22. The company has collaborated with the National Automobile Dealers Association (NADA) and reported the incident to the Federal Trade Commission (FTC), FBI, and various state attorney general offices. 700Credit serves over 23,000 automotive, RV, Powersports, and Marine dealer customers. The breach was due to a failure to validate consumer reference IDs against the original requester, and the attacker exfiltrated around 20% of consumer data. 700Credit revealed the breach in a notification to the Maine Office of the Attorney General (OAG) and advised affected customers to place a fraud alert and security freeze on their credit file.
Conduent Data Breach Affects Millions
Conduent, a business services provider, has confirmed that a data breach in 2024 impacted over 10.5 million individuals. The breach, initially disclosed in January 2025, affected government agencies in multiple US states. The attackers accessed Conduent's network on October 21, 2024, and were evicted on January 13, 2025. The compromised data includes names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information. Conduent serves over 600 government and transportation organizations, and roughly half of Fortune 100 companies. The company has not provided an exact number of affected individuals, but breach notices indicate at least 10.5 million people were impacted, with the largest number in Oregon (10.5 million) and over 4 million in Texas. The Safepay ransomware group claimed responsibility for the attack in February 2025 and claimed to have stolen 8.5TB of data. Conduent provides services to several other states where specific data breach figures aren't published, potentially increasing the actual impact. As of October 24, 2025, there is no evidence that the stolen data has been misused. Additionally, Volvo Group North America disclosed that nearly 17,000 customers and/or staff had their personal details exposed in the Conduent data breach. Conduent is sending notifications to impacted parties, offering free membership to identity monitoring services for at least a year, along with credit and dark web monitoring, and identity restoration. Volvo Group North America has recently suffered a new data breach caused by a third-party supplier, Miljödata, exposing staff data such as full names and Social Security Numbers. The breach at Miljödata in August 2025 exposed the information of 1.5 million people, including Volvo Group employees in Sweden and the U.S. Ingram Micro, a major IT services provider, revealed a ransomware attack in July 2025 that affected over 42,000 individuals. The SafePay ransomware group was behind this attack, claiming to have stolen 3.5TB of documents. The attack triggered a massive outage and highlighted SafePay's growing activity as a significant ransomware threat.