Overview
- HackerOne said a Navia breach exposed personal details for 287 employees, including Social Security numbers, birth dates, contact information, and health plan and dependent data.
- An unknown attacker used a Broken Object Level Authorization flaw, a bug that lets users fetch data they should not see, to access Navia records from December 22, 2025 to January 15, 2026.
- Navia detected suspicious activity on January 23 and dated customer notices February 20, but HackerOne said its letter arrived in March and it is seeking a reason for the delay.
- Navia reported the incident affected about 2.7 million people and said it has seen no signs of misuse, and no cybercrime group has claimed responsibility.
- HackerOne is reviewing Navia’s security practices and may change providers, while affected workers are being urged to watch for fraud and use 12 months of free identity and credit monitoring.