Post by Ceeyu

HackerOne's employee data stolen, via a third-party supplier. HackerOne runs bug bounty programs for some of the largest organizations in the world. However their employee data got disclosed, through a supplier. Navia Benefit Solutions, the third party that manages employee benefits on their behalf, was breached. Around 300 HackerOne employees had their personal data exposed. Names, addresses, dates of birth, health plan details. The kind of information that sits quietly in an HR system most security teams never look at. This is the supply chain risk conversation that is still not happening at the right level in most organizations. Your firewall does not protect your payroll processor. Your endpoint detection does not cover your benefits administrator. Your ISO 27001 certification says nothing about the security posture of the vendors who touch your employee data every month, etc ... Third party risk is an ongoing question: who has access to your data, what are they doing with it, and what happens when they get breached? HackerOne found out the hard way.