Data Breaches

Four Major Breaches in One Week Signal Supply Chain Vulnerability Crisis

March 25, 2026 / 5 Min Read

Four major organisations disclosed data breaches within days of each other this week, exposing a common thread: third-party vulnerabilities are outpacing internal security defenses. HackerOne confirmed 287 employee records were stolen through a supplier breach, Infinite Campus admitted unauthorised access to its Salesforce account, Mazda disclosed a warehouse system compromise affecting 692 records, and the Dutch Ministry of Finance blocked internal systems after detecting unauthorised access.

The timing is not coincidental. These are not isolated incidents but symptoms of a supply chain security crisis that is accelerating faster than most organisations can adapt to defend against it.

HackerOne Gets Schooled by Its Own Supplier

HackerOne, the bug bounty platform that exists to find security flaws, fell victim to a supplier breach that exposed personal data of 287 employees. The irony is thick enough to cut with a knife. The breach occurred through Navia Benefit Solutions, a third-party benefits administrator that manages employee health plan information for HackerOne and approximately 10,000 other corporate clients.

According to BleepingComputer, attackers exploited a Broken Object Level Authorization (BOLA) vulnerability in Navia’s systems between December 22, 2025, and January 15, 2026. Navia detected the breach on January 23 but HackerOne was not notified until March. That two-month delay has prompted HackerOne to publicly slam Navia’s notification timeline and threaten to find a new benefits provider.

The stolen data includes Social Security numbers, full names, addresses, phone numbers, dates of birth, and health plan details for HackerOne employees and their dependents. The total breach affected 2.7 million people across Navia’s client base, making it one of the larger third-party breaches on record.

ShinyHunters Targets Student Information Systems

Infinite Campus, which manages data for 11 million students across 46 US states, confirmed that threat actors gained unauthorised access to an employee’s Salesforce account. The company serves more than 3,200 school districts, making it a high-value target for data theft operations.

The ShinyHunters extortion group claimed responsibility and posted a “final warning” on dark web forums demanding ransom payment by March 25. Infinite Campus refused to negotiate. According to the company’s statement to school districts, the breach exposed names and contact information for school staff, most of which is publicly available on school websites. No student databases were accessed, according to the firm’s investigation.

This follows ShinyHunters’ pattern of targeting Salesforce customers through social engineering attacks on help desks. The group has compromised hundreds of companies in the past year, including a campaign that resulted in over 1.5 billion records stolen from Salesloft Drift customers. The December 2024 PowerSchool breach exposed 62 million student records through similar tactics.

Dutch Government Systems Compromised

The Dutch Ministry of Finance disclosed that attackers gained unauthorised access to internal systems within its policy department. The breach was first detected on March 19 after a third party alerted the ministry to suspicious activity, according to BleepingComputer.

Officials blocked access to compromised systems, disrupting work for an unspecified number of employees. The ministry stated that core services including tax collection, customs operations, and benefits processing remain unaffected. No threat group has claimed responsibility.

This adds to a troubling pattern for Dutch government entities. The national police suffered a state-actor breach in September 2024 that exposed officers’ contact details, and several other ministries were hit by major breaches in April 2025.

The Supply Chain Problem Is Getting Worse

Three of these four incidents trace back to third-party relationships: HackerOne through its benefits provider, Infinite Campus through Salesforce, and Mazda through its warehouse management system. The pattern is consistent with a fundamental shift in how organisations are being compromised.

Direct attacks on well-defended primary systems are increasingly difficult. Attacking suppliers, service providers, and cloud platforms offers threat actors a path to multiple victims through a single compromise. The Navia breach alone affected 2.7 million people across 10,000 companies. That return on investment is impossible to achieve through individual company attacks.

HackerOne’s public criticism of Navia’s notification timeline reveals another critical weakness: most organisations have limited visibility into their suppliers’ incident response capabilities. When a vendor is breached, downstream customers are entirely dependent on that vendor’s detection speed and disclosure practices.

What Companies Should Audit This Week

Review your vendor contracts for breach notification timelines. If a supplier does not commit to notifying you within 72 hours of detecting a compromise, that gap could leave your organisation exposed for months without knowledge. The HackerOne-Navia case demonstrates why generic vendor agreements are insufficient.

Map which suppliers have access to employee personal data, customer information, or internal systems. Prioritise security reviews for those relationships, particularly benefits administrators, payroll providers, and cloud service platforms that store sensitive data on behalf of multiple clients.

For education sector organisations, the Infinite Campus compromise should prompt immediate review of Salesforce account security controls. Enable IP restrictions, enforce multi-factor authentication, and audit which employees have admin-level access to customer relationship management systems.