SecureFact – Cyber Security News – Week of March 30, 2026

Bug bounty platform HackerOne notified hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators.
A Broken Object Level Authorization (BOLA) vulnerability led to unauthorized access to Navia data between December 22, 2025, and January 15, 2026.
The breach exposed sensitive information of 287 HackerOne employees.
The exposed data includes Social Security numbers, full names, addresses, phone numbers, dates of birth, email addresses, plan enrollment dates, effective dates, and termination dates for affected employees and their dependents.
HackerOne encouraged impacted employees to monitor their financial accounts for unusual activity and take advantage of 12-month free identity protection and credit monitoring services provided by Navia.
The company recommended changing passwords and security questions if they involve the exposed personal data.
No ransomware group has claimed responsibility for the breach.

Infinite Campus, a widely used K-12 student information system serving more than 3,200 school districts managing data for 11 million students in 46 states, disclosed a data breach following an extortion attempt by ShinyHunters threat actors.
Hackers accessed an employee’s Salesforce account, exposing information that was mostly publicly available.
ShinyHunters claimed the attack and posted a final warning on its dark web site, threatening to leak all stolen data and giving the company until March 25 to initiate contact and negotiate ransom.
The exposed data consists of names and contact information for school staff, with the majority being directory information commonly found on school websites.
No customer databases were accessed according to the company’s investigation.
Infinite Campus disabled certain customer-facing services for users without IP address restrictions to minimize exposure risk and is scanning all Salesforce data that may have been compromised.
The company stated it will not engage with the attacker and is contacting potentially impacted districts to provide guidance.

The European Commission, the European Union’s main executive body, is investigating a security breach after a threat actor gained access to the Commission’s Amazon cloud environment.
The attack was quickly detected and the Commission’s cybersecurity incident response team is investigating.
The threat actor who claimed responsibility stated they had stolen over 350 GB of data including multiple databases.
The attacker provided screenshots as proof of access to information belonging to European Commission employees and to an email server used by Commission employees.
The threat actor stated they will not attempt to extort the Commission but intend to leak the data online at a later date. AWS confirmed that AWS services operated as designed and did not experience a security event.
This is the second breach disclosed by the Commission in recent months, following a February incident involving the mobile device management platform used to manage staff devices.
The January incident appears linked to similar attacks targeting other European institutions exploiting code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software.

Dutch professional football club Ajax Amsterdam disclosed that a hacker exploited vulnerabilities in its IT systems and accessed data belonging to a few hundred people.
The security issues allowed transferring purchased tickets to others and enabled modifications to stadium bans imposed to certain individuals.
The club learned about the security issues from journalists who were tipped off by the hacker.
Only email addresses of a few hundred people were viewed, and for fewer than 20 people with stadium bans, their names, email addresses, and dates of birth were accessed.
RTL journalists independently verified the vulnerabilities and reported they could transfer season tickets, access and modify stadium ban records, and gain broad access to fan data via APIs and shared keys.
The investigation indicated potential manipulation of 42,000 season tickets, 538 supporter stadium bans, and viewing details on over 300,000 accounts.
AFC Ajax engaged external experts to determine the scope and identify root causes. All identified vulnerabilities have been patched and additional security measures introduced.
The Dutch Data Protection authority and police have been notified. The exposed data has not been leaked.

Mazda Motor Corporation announced that information belonging to its employees and business partners had been exposed in a security incident detected in December.
The attackers exploited a vulnerability in a system related to warehouse management for parts procured from Thailand.
The system did not contain any customer data and the breach is limited to 692 records.
The potentially exposed information includes user IDs, full names, email addresses, company names, and business partner IDs. Mazda has detected no misuse of the information to date.
The company recommends that impacted individuals remain vigilant due to the significant risk of phishing attacks and scams targeting them.
Mazda promptly reported the matter to the Personal Information Protection Commission and implemented appropriate security measures in cooperation with external specialist organizations.
Additional security measures implemented include reducing internet exposure, applying security patches, increasing monitoring for suspicious activity, and introducing stricter access policies.
No ransomware group has publicly claimed the attack. Mazda confirmed the incident is not related to ransomware and no malware infections have been confirmed.

The Dutch Ministry of Finance confirmed that some of its systems were breached in a cyberattack detected on March 19, 2026.
The ministry was notified by a third party of the breach and is still investigating the cyberattack.
Unauthorized access was detected to systems for a number of primary processes within the policy department.
Following the alert, an immediate investigation was launched and access to these systems has been blocked.
The incident affects the work of a portion of employees.
The cyberattack did not impact systems used to manage tax collection, import/export regulations, and income-linked subsidies, which handle over 9.5 million tax returns annually for income tax alone.
Services to citizens and businesses provided by the Tax and Customs Administration, Customs, and Benefits have not been affected.
The ministry did not disclose how many employees were affected or whether attackers stole any sensitive data.
No cybercrime group or threat actors have taken responsibility for the attack.
A Ministry of Finance spokesperson stated they could not provide more information due to the ongoing investigation.