Security vendor slams supplier for delayed notice after staff data exposed

HackerOne slams supplier over delayed breach notice • The Register Sign in / up The Register Topics Special Features Special Features Vendor Voice Resources Resources Cyber-crime 6 HackerOne slams supplier for delayed breach notice after staff data exposed 6 Nearly 300 employees caught up in intrusion at benefits provider Navia Carly Page Tue 24 Mar 2026 // 13:27 UTC Almost 300 HackerOne employees are caught up in a data breach, with the bug bounty biz slamming a third-party benefits provider for a weeks-long delay in notification. In a filing with Maine's attorney general , HackerOne claimed the breach stemmed not from its own systems but from Navia Benefit Solutions, a US-based administrator handling employee benefits data. According to a notification letter sent to affected staff, an unknown cyber baddie exploited a Broken Object Level Authorization (BOLA) flaw in Navia's environment, allowing unauthorized access to sensitive data between December 22, 2025, and January 15, 2026. Navia detected "suspicious activity" on January 23 and began investigating, the notice states. HackerOne says it didn't receive formal notification until March after letters dated February 20 were sent but delayed in transit. HackerOne made clear it is less than impressed with that timeline, noting it is still waiting for "a satisfactory reason for the delay in their notification." The wider incident is far bigger than HackerOne alone. Navia said last week that the months-old breach of its systems affected more than 2.6 million people. Navia hasn't shared any further details about the intrusion, and its website was unavailable at the time of writing, though it's unclear whether the two are connected. EU sanctions Iranian cyber front over election meddling, Charlie Hebdo breach Rogue AI agents can work together to hack systems and steal secrets HackerOne 'updating' Ts&Cs after bug hunters question if they're training AI HackerOne 'ghosted' me for months over $8,500 bug bounty, says researcher The exposed data reads like a greatest hits of identity theft fodder. HackerOne employees may have had Social Security Numbers, full names, addresses, phone numbers, dates of birth, and email addresses compromised, along with details about health plan participation and information on dependents. While Navia has claimed there is no evidence of misuse so far, HackerOne is proceeding on the assumption that the data could still be abused. Employees were warned to watch for fraud, phishing attempts, and unusual financial activity, and to consider locking down their credit. The company also signaled it may rethink its supplier relationships. It said it is reviewing Navia's security and privacy practices, and will consider "other potential options for benefits providers" if those don't measure up. It's the same pattern seen time and again: a vulnerability in a supplier's system, a lag between detection and disclosure, and downstream victims left scrambling. The difference here is that the victim is HackerOne – a firm that exists to spot exactly this kind of problem. ® Share More about Bug Bounty Data Breach HackerOne More like these × More about Bug Bounty Data Breach HackerOne Broader topics Security More about Share 6 COMMENTS More about Bug Bounty Data Breach HackerOne More like these × More about Bug Bounty Data Breach HackerOne Broader topics Security TIP US OFF Send us news Other stories you might like HP stuffs OpenAI LLM into new laptops to make them either more useful at work, or a bit creepy 'HP IQ' can chat, share files, and record and summarize meetings Personal Tech 25 Mar 2026 | 2 AI-pilled Arm CEO teases mystery products that will turn it into a money machine Breaking free of its IP licensing shackles Systems 24 Mar 2026 | EFF has a new boss to lead the fight against privacy-sucking forces of doom interview Cyber rights org retools for the days of AI and unrestrained government Security 24 Mar 2026 | Why flexibility will define the future of functionality Enterprise infrastructure choices shouldn't have to be hostages to compromise. Cisco FlashStack with Nutanix sets out to break the deadlock Sponsored Feature 1K+ cloud environments infected following Trivy supply chain attack RSAC 2026 Crims 'creating a snowball effect' across open source projects RSA 24 Mar 2026 | 3 Chemists concoct nail polish that lets clawed humans use touch screens They still look goofy, but at least you might be able to use 'em like a stylus Science 24 Mar 2026 | 6 LiteLLM loses game of Trivy pursuit, gets compromised Python interface for LLMs infected with malware via polluted CI/CD pipeline Security 24 Mar 2026 | 1 AI isn't killing jobs, it's 'unbundling' them into lower-paid chunks Paper argues the real impact isn't job loss but narrowing human work and pay AI + ML 24 Mar 2026 | 6 Remote or not, workers are drifting back toward the city Global hiring data shows employees relocating nearer major hubs, reversing pandemic-era shift Off-Prem 24 Mar 2026 | 6 Age checks creep into Linux as systemd gets a DOB field Flatpak may be next, and the lobbying behind it is raising eyebrows OSes 24 Mar 2026 | 46 Arm rolls its own 136-core AGI CPU to chase AI hype train Turns out artificial general intelligence was a CPU this whole time Systems 24 Mar 2026 | 8 Goodbye, Lunar Gateway: NASA ditches Moon station for Moon base NASA boss Jared Isaacman has no intention of letting this setback delay the Artemis program, apparently Science 24 Mar 2026 | 20 The Register Biting the hand that feeds IT About Us Contact us Advertise with us Who we are Our Websites The Next Platform DevClass Blocks and Files Your Privacy Cookies Policy Privacy Policy Ts & Cs Copyright. All rights reserved © 1998–2026