Last Update: 04/05/2026 at 2:50 PM EST
Navia Breach Exposes Employee Data
Coverage from Custommapposter, BleepingComputer, and others
Articles
3
Latest Article
03/26
Active Days
8
Executive Summary
Navia says a BOLA flaw let attackers access employee and dependent data for weeks, exposing sensitive identifiers and raising privacy and notification concerns.
- BOLA flaw allowed unauthorized access to Navia systems from Dec. 22, 2025 to Jan. 15, 2026
- Sensitive data exposed included SSNs, names, addresses, birth dates, contact details and enrollment records
- Navia discovered suspicious activity on Jan. 23, 2026 and notified affected parties on Feb. 20, 2026
- Reports say nearly 2.7 million individuals were notified, while HackerOne cited 287 affected employees
- Claims and financial information were not exposed, but the data could support phishing and impersonation
- No threat group has claimed responsibility and attribution remains unresolved
- Navia said it reviewed security posture, notified law enforcement and offered identity protection
Quick Facts
- What: Unauthorized access exposed sensitive employee and dependent data
- Where: Navia benefits administration systems in the United States
- Why: A BOLA authorization flaw enabled the intrusion and data exposure
- Who: Navia Benefit Solutions and affected employees and dependents
- When: Access ran from Dec. 22, 2025 to Jan. 15, 2026
Coverage Timeline: 8 Days
Featured Article
Navia Benefit Solutions notified nearly 2.7 million U.S. individuals in 2026 after unauthorized access to benefits administration systems occurred from December 22, 2025, to January 15, 2026.
Additional Articles
⭐⭐⭐
Navia reported a BOLA authorization vulnerability enabling weeks of unauthorized access from December 22, 2025 to January 15, 2026 and notifying affected parties on February 20.
HackerOne notified employees after a BOLA vulnerability enabled unauthorized access to Navia benefits administrator data, affecting 287 employees and dependents between December 22, 2025 and January 15, 2026.