Navia Benefit Solutions 2.7M Records Exposed via BOLA API Flaw

• .What: A BOLA vulnerability in Navia's participant API allowed unauthorized read access to 2.7 million benefit plan records spanning seven years.
• .Who: Navia Benefit Solutions (Seattle, WA) - third-party benefits administrator for 10,000+ employer clients and 1M+ enrolled participants. Downstream victims include HackerOne (287 employees) and Washington State HCA (~35,600 members).
• .How: Broken Object Level Authorization (BOLA) - OWASP API Security Top 1. Authenticated users could manipulate API endpoints to access records beyond their authorized scope.
• .Data: Full names, SSNs, DOBs, addresses, phone numbers, emails, Navia IDs, Employee IDs, enrollment dates, HRA/FSA/COBRA participation, dependent information. Seven years of records (2018-2025).
• .Actor: Unknown. No threat actor has claimed responsibility. No evidence of data appearing on dark web markets or leak sites as of March 26, 2026, based on monitoring of major marketplaces, ransomware leak sites, and underground forums.
• .Impact: 2,697,540 individuals exposed. Notification delays exceeding six weeks. At least nine federal class action lawsuits filed. HackerOne publicly reviewing vendor relationship. Washington State issuing 35,600 notification letters. Federal law enforcement notified.

On December 22, 2025, an unauthorized party began exploiting a Broken Object Level Authorization flaw in Navia Benefit Solutions' API. The vulnerability allowed authenticated users to manipulate API endpoints to retrieve participant records beyond their authorized scope - meaning any user with valid credentials could access any other participant's data by modifying object references in API calls.

The unauthorized access continued undetected for 24 days, ending on January 15, 2026.

Navia detected unusual activity on January 23, 2026 - eight days after the unauthorized access had already stopped. The company engaged external forensic specialists and breach counsel to investigate.

By late January, investigators confirmed the scope: 2,697,540 individuals across more than 10,000 employer clients had their records accessed. The access was read-only. Investigators found no evidence of data modification, fund movement, or access to claims data or bank accounts.

What followed was a notification timeline that drew sharp public criticism. Navia dated its notification letters February 20, 2026, but the letters were delayed in transit.

Navia posted a public disclosure on its website on March 2. A substitute breach notice was uploaded on March 13. Individual notification letters did not begin mailing until March 18 - nearly two months after the company detected the breach and nearly three months after the intrusion began.

Navia filed with the Maine Attorney General's office listing 2,697,540 affected individuals.

It offered 12 months of free identity protection services through Kroll - described in WA HCA documents as "a global incident response provider" handling notification drafting, call center operations, and monitoring services, suggesting Kroll's role extends beyond monitoring to broader incident response functions - and temporarily disabled its participant portal registration while it remediated the vulnerability.

The notification delay became a flashpoint when HackerOne - a San Francisco-based bug bounty and vulnerability disclosure platform whose own 287 employees were among the victims - publicly criticized Navia on March 23-24, 2026, in statements reported by BleepingComputer, The Register, and SecurityWeek.

HackerOne stated it was "still waiting for a satisfactory reason for the delay" in receiving formal notification. The company did not receive notice from Navia until March 2026, more than six weeks after Navia detected the breach.

HackerOne initiated a review of Navia's security and privacy practices and signaled it may switch to an alternative benefits provider.

The irony was not lost on the cybersecurity community: the world's preeminent vulnerability disclosure platform had its employees' SSNs exposed through precisely the kind of API vulnerability its own researchers catalog daily.

Washington State's Health Care Authority disclosed that approximately 35,600 current and former members of the Public Employees Benefits Board (PEBB), School Employees Benefits Board (SEBB), and Compact of Free Association (COFA) Islander programs were affected - roughly 27,000 PEBB members, 5,600 SEBB members, and 3,000 COFA members.

An additional 37 school districts that contracted with Navia before the SEBB Program launched in January 2020 were separately notified.

The WA HCA FAQ also noted that children's data may have been exposed because some participants added dependent information - such as names and dates of birth - into their accounts to set up recurring Dependent Care Assistance Program (DCAP) claims, meaning minors who do not hold their own Navia accounts could still be affected.

Navia also disclosed that it launched its forensic investigation alongside federal law enforcement.

At least nine federal class action lawsuits have been filed in the U.S. District Court for the Western District of Washington, including Fiore v. Navia (2:2026cv00929), Archie v. Navia (2:2026cv00927), Ibarra v. Navia (2:2026cv00940), Bowen v. Navia (2:2026cv00944), O'Day v.

Navia (2:2026cv00960), Bryan v. Navia (2:2026cv00977), Palacios v. Navia (2:2026cv00999), Austin et al v. Navia (2:2026cv01021), and Fisher v. Navia.

Multiple additional law firms - including Bryson Harris Suciu & DeMay, Edelson Lechtzin, Murphy Law Firm, Zack Lehman Kirkpatrick, The Lyon Firm, Shamis & Gentile, Levi & Korsinsky, and Abington Law - have announced investigations or filed suits.

The pace of filings suggests a multi-district litigation (MDL) consolidation motion may follow.

No threat actor has claimed responsibility for the Navia breach.

No data from the incident has appeared on dark web marketplaces or leak sites as of March 26, 2026, based on monitoring of major dark web marketplaces, ransomware leak sites, and underground forums through that date.

The attack did not involve system intrusion, malware, or ransomware - it exploited a logic flaw in the API's authorization controls.

The vulnerability class itself - Broken Object Level Authorization - is the single most common API security risk, ranked #1 in the OWASP API Security Top 10 (both the 2019 and 2023 editions).

BOLA vulnerabilities occur when an API fails to verify that the authenticated user making a request is authorized to access the specific object being requested.

In practical terms: the API checked whether the user was logged in, but did not check whether the user was authorized to view the specific record they requested.

By manipulating object identifiers (such as participant IDs or enrollment record numbers) in API calls, the attacker could enumerate and retrieve records belonging to other participants.

This class of vulnerability is trivial to exploit and trivial to prevent. It requires no sophisticated tooling - only a valid session token and the ability to modify a parameter in an API request.

Automated scanners and manual testers routinely identify BOLA flaws during penetration testing.

The fact that Navia's API was vulnerable to BOLA across seven years of historical records - exposing the entire participant database - indicates that authorization controls were either never implemented at the object level or were implemented incorrectly and never tested.

The following data types were confirmed exposed for 2,697,540 individuals:

• .Full names
• .Social Security numbers - the single most sensitive US personal identifier; cannot be changed; enables identity theft, tax fraud, and synthetic identity creation
• .Dates of birth - combined with SSNs, provides the two data points most commonly required for identity verification
• .Residential addresses
• .Phone numbers
• .Email addresses
• .Navia ID numbers and Employee IDs
• .Enrollment start and end dates
• .Health Reimbursement Arrangement (HRA) participation details
• .Flexible Spending Account (FSA) information
• .COBRA enrollment records - revealing employment termination or qualifying life events
• .Dependent information - names and relationships of spouses and children

The historical scope is significant. Records dating back to 2018 were accessible, meaning seven years of benefit plan enrollment history was exposed. This includes individuals who may no longer be active participants but whose SSNs and dependent information remain in the system.

What was NOT exposed, according to Navia's investigation: claims data (specific medical services or purchases), financial information, and bank account data.

The combination of SSNs, DOBs, and addresses for 2.7 million individuals - plus their dependent information and employment benefit history - constitutes a high-value dataset for identity theft.

COBRA enrollment records are particularly sensitive because they reveal that an individual experienced a qualifying life event such as job loss, divorce, or death of a spouse - information that can be weaponized in targeted social engineering.

1. No Object-Level Authorization on API Endpoints. The root cause. Navia's API verified that users were authenticated (logged in) but failed to verify that the authenticated user was authorized to access the specific record requested.

This is the textbook definition of BOLA - OWASP API Security #1. Every API endpoint that returns participant data should enforce authorization checks that validate the requesting user's relationship to the requested object.

2. Enumerable Object Identifiers. The API used predictable or sequential identifiers (participant IDs, enrollment record numbers) that could be enumerated by an attacker.

Combined with the missing authorization check, this allowed systematic harvesting of the entire participant database. Unpredictable identifiers (UUIDs) would not have prevented the vulnerability but would have slowed enumeration.

3. No Rate Limiting or Anomaly Detection on API Access Patterns. Accessing 2.7 million records over 24 days requires sustained, high-volume API queries far exceeding any legitimate user's access pattern.

No rate limiting, behavioral analytics, or anomaly detection flagged the activity. A single authenticated user querying millions of records across thousands of employer clients should have triggered immediate alerts.

4. Excessive Data Retention.

Seven years of participant records - including records of individuals who had long since left their employer or terminated their benefit plans - remained accessible through the same API. Data minimization principles require that records be archived or deleted when they are no longer needed for their original purpose.

Retaining seven years of SSNs in a live, API-accessible database multiplied the blast radius of the vulnerability by an order of magnitude.

5. No API Security Testing. A BOLA vulnerability is among the easiest flaws to detect through automated API security scanning or manual penetration testing.

The fact that this vulnerability persisted in production - potentially for years - indicates that Navia did not conduct regular API security assessments or, if it did, the testing failed to cover authorization logic.

6. Eight-Day Detection Gap. The unauthorized access ended on January 15. Navia did not detect unusual activity until January 23 - eight days after the intrusion had already stopped.

This indicates a lack of real-time monitoring on API access patterns and suggests the detection was triggered by a lagging indicator (such as a log review or third-party report) rather than active monitoring.

7. No Downstream Notification Protocol.

Navia's notification timeline - nearly two months from detection to individual letter mailing, and over six weeks from detection to formal employer notification - exposed a lack of pre-established breach notification protocols with its 10,000+ employer clients.

Benefits administrators handling SSNs and health plan data for millions of individuals must have contractual notification timelines and pre-staged communication plans.

The following technique mappings apply to the Navia incident, noting that BOLA exploitation does not map cleanly to ATT&CK's framework, which was designed primarily for network and endpoint intrusions rather than API logic flaws:

• .T1078 (Valid Accounts) - The attacker used authenticated credentials to access Navia's API. The method of credential acquisition - whether stolen, purchased, or legitimately held - remains unknown.
• .T1119 (Automated Collection) - The sequential enumeration of 2.7 million participant records over 24 days indicates automated scripting to iterate through predictable object identifiers.
• .T1530 (Data from Cloud Storage Object) - The closest ATT&CK mapping for unauthorized access to cloud-hosted data objects via API manipulation, though the technique was designed for storage buckets rather than API-level object reference abuse. ATT&CK lacks a dedicated technique for BOLA/IDOR exploitation - a gap given that OWASP ranks it as the #1 API security risk.

No traditional threat actor IOCs - incident exploited an API logic flaw (BOLA).

Vulnerability:

• .OWASP API Security #1: Broken Object Level Authorization
• .Authenticated users could enumerate records via predictable object identifiers

Intrusion Timeline:

• .December 22, 2025: Unauthorized access begins
• .January 15, 2026: Access ends
• .January 23, 2026: Navia detects (8-day gap)
• .24-day intrusion window, 2,697,540 records accessed

• .T1078 - Valid Accounts
• .T1119 - Automated Collection

• .HIPAA (45 CFR Parts 160, 164): Navia administers HRAs, FSAs, and COBRA plans - all of which involve protected health information (PHI) or health plan enrollment data. As a business associate under HIPAA, Navia is required to notify covered entities (employer clients) without unreasonable delay and no later than 60 days after discovery of a breach affecting 500+ individuals. The 60-day clock started on January 23, 2026 (detection date), making the deadline March 24, 2026. Individual notification letters did not begin mailing until March 18 - within the HIPAA window but only barely. For breaches affecting 500+ individuals, Navia must also notify HHS OCR and prominent media outlets. HIPAA civil monetary penalties range from $141 to $2,134,831 per violation category per year, with a calendar year cap of $2,134,831 per identical provision.

• .Washington State Breach Notification (RCW 19.255.010): Washington requires notification to affected residents within 30 days of discovery. With approximately 35,600 Washington residents affected and discovery on January 23, the 30-day deadline was February 22. Navia's substitute notice was posted March 13 and individual letters began March 18 - both past the 30-day window. The Washington Attorney General must also be notified if more than 500 residents are affected. Violations constitute unfair or deceptive acts under the Consumer Protection Act.

• .State Breach Notification Laws (all 50 states): SSN exposure triggers mandatory notification in every US state and territory. Each state has its own timeline, content requirements, and AG notification thresholds. Navia's 10,000+ employer clients span the country, meaning notification obligations exist in virtually every jurisdiction. Several states impose 30-day or 45-day notification deadlines that Navia may have missed.

• .CCPA/CPRA (California Civil Code 1798.100 et seq.): If California residents are among the 2.7 million affected - virtually certain given Navia's national client base - the CCPA's private right of action for data breaches involving unencrypted SSNs applies. Statutory damages of $100-$750 per consumer per incident. For 2.7 million individuals, maximum statutory exposure exceeds $2 billion. The California AG or CPPA can impose administrative fines of $7,500 per intentional violation.

• .FTC Act Section 5: The FTC has historically pursued third-party service providers that fail to implement reasonable security measures to protect consumer data. A BOLA vulnerability - the #1 OWASP API risk - in a system holding 2.7 million SSNs, combined with seven years of excessive data retention and a delayed notification, fits the FTC's pattern of enforcement against companies with "unreasonable" security practices. FTC consent decrees typically impose 20-year monitoring obligations.

• .ERISA (Employee Retirement Income Security Act): Benefits administrators owe fiduciary duties to plan participants. While ERISA's application to cybersecurity is evolving, the DOL's 2021 cybersecurity guidance for ERISA-covered plans establishes expectations for service provider security assessments, and the exposure of participant data through a basic API vulnerability raises questions about Navia's compliance with fiduciary obligations.

• .COPPA (Children's Online Privacy Protection Act): The WA HCA FAQ confirmed that children's data may have been exposed through Dependent Care Assistance Program (DCAP) accounts where participants entered dependent names and dates of birth for recurring claims. If minors under 13 are among the affected population - which is likely given the DCAP use case - COPPA's heightened protections for children's personal information apply. The FTC enforces COPPA violations with penalties of up to $50,120 per violation, and the exposure of children's data through a preventable API flaw in a benefits administration platform would attract significant regulatory scrutiny.

• .Maine Breach Notification (10 M.R.S. Section 1348): Navia filed its breach notification with the Maine AG listing 2,697,540 affected individuals. Maine requires notification within 30 days of discovery for breaches affecting Maine residents. The filing serves as the public record establishing the breach scope.

• .HackerOne Vendor Risk Implications: While not a regulatory matter, HackerOne's public criticism and announced vendor review carries significant reputational weight in the cybersecurity industry. When the world's largest bug bounty platform publicly questions your security practices, every prospective client takes notice. HackerOne's signaled intent to switch providers may trigger a broader client exodus.

The following gaps exist in the public record for this incident:

1. No threat actor has claimed responsibility and no data from this breach has appeared on dark web markets or leak sites - it is unknown whether the unauthorized party was a criminal actor, a researcher, or an automated scanning tool.

2. Whether the BOLA vulnerability was a longstanding flaw present since the API's deployment or was introduced in a recent update has not been disclosed by Navia or its forensic investigators.

3. The method by which the unauthorized party obtained valid authenticated credentials to begin the BOLA exploitation has not been explained - it is unknown whether credentials were stolen, purchased, or legitimately held.

4. Navia's statement that access was "read-only" with "no evidence of data modification, fund movement, or access to claims data" has not been independently verified through published forensic findings.

5. The full list of affected employer clients among the 10,000+ served by Navia has not been disclosed, and the notification timeline to individual employers beyond HackerOne and Washington State HCA is unknown.

6. The identity of the external forensic firm has not been publicly disclosed.

WA HCA documents describe Kroll as a "global incident response provider" handling notifications, call centers, and monitoring - raising the question of whether Kroll also performed the forensic investigation or whether a separate firm was retained.

No source names the forensic firm.

7. The scope of federal law enforcement involvement - confirmed by CyberSecurityNews reporting that Navia launched its investigation "alongside federal law enforcement" - has not been elaborated.

It is unknown which agency (FBI, Secret Service, or other) is involved, whether a criminal investigation is active, or whether law enforcement has identified the threat actor.

8. The exact number of minors whose data was exposed through DCAP accounts has not been disclosed. The WA HCA FAQ confirmed that children's information may have been entered into participant accounts for dependent care claims, but no count of affected minors has been provided.

9. Whether the nine filed lawsuits will be consolidated into a multi-district litigation (MDL) proceeding remains to be determined. The concentration of filings in the Western District of Washington suggests consolidation is likely.

The Navia breach is a case study in what happens when a third-party administrator scales its client base to 10,000+ employers and 2.7 million participants without scaling its API security controls to match.

The technical root cause - a missing object-level authorization check - is detailed in the Technical Failure Chain above.

What matters strategically is what this incident signals for the benefits administration industry and the organizations that entrust it with their employees' most sensitive data.

The enumeration pattern should have been detected within minutes, not discovered eight days after the attacker stopped.

A single authenticated session querying records across hundreds of employer clients, pulling thousands per hour, sequentially iterating through participant IDs - this is the textbook signature of BOLA enumeration.

An API security gateway with behavioral analytics - Salt Security, Noname Security (now Akamai API Security), Traceable AI - would have flagged the pattern within the first hour and triggered automatic session termination.

Instead, the attacker operated for 24 days, and Navia did not notice until eight days after the unauthorized access had already stopped.

Sequential, predictable object identifiers turned a missing authorization check into a trivially scriptable attack.

Replacing predictable IDs with UUIDs (128-bit random values) would not fix the root cause - the missing authorization check must be addressed independently - but it would make blind enumeration functionally impossible.

The attacker cannot count from 1 to 2,697,540 if identifiers are randomly distributed across a 128-bit keyspace.

Seven years of historical records were accessible through the same live API as active participants. SSNs for individuals who terminated benefit plans in 2018 sat in the same queryable database as current enrollees.

Data minimization - required under HIPAA's minimum necessary standard and CCPA's retention limits - demands that records no longer needed be archived to encrypted cold storage with separate access controls.

The difference between exposing seven years of records and exposing one year is the difference between a class action and a contained incident.

BOLA is among the easiest flaws to detect during security testing - automated API scanners flag it routinely.

Annual third-party API security assessments covering OWASP API Top 10 risks, combined with automated authorization testing in CI/CD using tools like Akto, APIsec, or StackHawk, would have caught this before any attacker found it.

The cost of continuous testing is negligible compared to 2.7 million SSN exposures and nine federal class action lawsuits.

A benefits administrator holding SSNs for millions of people across 10,000 employer clients needs pre-staged breach notification protocols: contractual timelines of 48-72 hours from confirmation, pre-drafted communication templates, and dedicated incident response contacts on file.

The breach was a technical failure. The six-week notification delay was an operational one. Both were preventable.

BleepingComputer, The Register, SecurityWeek, Security Affairs, HIPAA Journal, ClassAction.org, Washington State Health Care Authority, WA HCA FAQ (HCA 50-0132), WA HCA GovDelivery Bulletin, CyberSecurityNews, Paubox, GlobeNewswire, Justia Federal Court Dockets (Western District of Washington), Law.com Radar, ClaimDepot, SC Media, TechRadar, CyberNews, CPO Magazine, TechRepublic, The Lyon Firm, DEV Community