Employee Data Breaches Hit Major Organizations This Week

HackerOne, Mazda, Infinite Campus, and government agencies disclosed employee data breaches this week, with threat actors targeting benefits platforms and third-party vendors.

This week's intelligence reveals a concerning pattern of threat actors targeting employee data through third-party systems and vendor relationships. Several major organizations including HackerOne, Mazda Motor Corporation, and Goodwill disclosed breaches affecting employee and partner information, while critical infrastructure providers like Infinite Campus faced incidents impacting educational institutions nationwide.

Third-Party Vendor Breaches Create Cascading Exposures

Bug bounty platform HackerOne disclosed that employee data was stolen after threat actors compromised Navia, its U.S. benefits administrator. The exposed information includes Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for each affected employee and their dependents. The breach occurred between December 2025 and January 2026, attributed to a "Broken Object Level Authorization (BOLA)" vulnerability at Navia.

The Navia incident affected approximately 2.7 million individuals total, demonstrating how a single vendor breach can create widespread exposure across multiple client organizations. This incident underscores the critical importance of third-party risk management in today's interconnected business environment.

Corporate Data Breaches Target Employee and Business Partner Information

Mazda Motor Corporation disclosed that threat actors exploited security vulnerabilities in mid-December 2025 to access an internal system managing warehouse operations for automotive parts from Thailand. The compromise exposed internal IDs, names, email addresses, and business partner IDs from the internal management system. Though the incident was detected in December, public notification came in March 2026 following forensic investigation and regulatory compliance requirements.

Goodwill of Greater Grand Rapids confirmed a breach on March 27, 2026, that disrupted network resources and took down point-of-sale systems, forcing all locations to accept cash only. The organization noted that it does not store credit card data on its systems, meaning customer payment information was not at risk.

Educational Infrastructure Under Attack

Infinite Campus, a K-12 student information system managing data for roughly 11 million students, suffered a breach after threat actors gained access to an employee's Salesforce account. The company claims most exposed data was already public information such as names and contact information for school staff, with no student information reported as breached.

The targeting of educational infrastructure demonstrates threat actors' focus on high-value systems that manage sensitive populations. Educational institutions often face resource constraints that can limit cybersecurity investments, making them attractive targets for criminal operations.

What Individuals Should Do

Employees at affected organizations should immediately review benefits accounts and credit reports for suspicious activity. Enable multi-factor authentication on all accounts, particularly those connected to payroll and benefits systems. Consider freezing credit reports as a precautionary measure if Social Security numbers were involved in your organization's breach.

What Businesses Should Do

Conduct comprehensive third-party risk assessments, particularly for vendors handling employee benefits, payroll, or sensitive corporate data. Implement vendor security monitoring and require notification clauses in contracts that mandate immediate breach disclosure. Review access controls for critical business systems like Salesforce and ensure proper authorization levels are enforced across all platforms.