HackerOne criticizes benefits provider for delayed notification following a massive data breach

Key points

• Nearly 300 HackerOne employees had sensitive personal information—including Social Security numbers and health data—exposed due to a security breach at their benefits provider, Navia Benefit Solutions.
• The breach, which affected over 2.6 million people in total, occurred because of a security flaw in Navia’s systems that went undetected for several weeks.
• HackerOne expressed frustration with Navia for waiting months to formally notify them of the incident, calling the delay unacceptable.
• While there is no current evidence that the stolen data has been misused, HackerOne is advising affected staff to monitor their accounts for fraud and identity theft.
• HackerOne is now reviewing its relationship with Navia and may switch to a different benefits provider due to these security concerns.

This incident highlights the significant risks companies face when their sensitive data is handled by third-party suppliers. It serves as a reminder that even security-focused firms are vulnerable to the security failures of their partners, leaving employees at risk of identity theft.