Navia Benefit Solutions, a backend workplace benefits administrator serving over 10,000 US employers, suffered a cyberattack that exposed personal data of nearly 2.7 million Americans. Attackers had silent read-only access for three weeks (December 22, 2025 – January 15, 2026), exfiltrating SSNs, dates of birth, phone numbers, email addresses, and health benefits enrollment data (FSA, HRA, COBRA) — some records dating back to 2018. Security experts highlight that read-only access is not low-risk, as it enables systematic data exfiltration without triggering destructive-attack alerts. The incident underscores the hidden exposure risk of backend third-party processors, where individuals have no direct relationship or visibility. Recommendations include treating sensitive data access as high-signal events, alerting on abnormal read patterns, enforcing least privilege, and requiring independent audits and data minimization from vendors. Affected individuals are offered 12 months of identity protection through Kroll.
Sort: