TL;DR

AI is no longer just a tool in your security stack — it is now an attack surface. From model theft costing organisations millions in stolen IP to data poisoning campaigns that corrupt your AI from the inside, the threat landscape has fundamentally shifted. Business leaders need to understand four critical risk areas: AI-powered social engineering, prompt injection against AI agents, model exfiltration, and the governance structures required to keep up.

The Threat Landscape Has Changed

AI does not merely automate old attack patterns. It introduces entirely new categories of risk that traditional security controls were never designed to address. Nation-state actors are already leveraging AI at scale — the ASD ACSC flagged joint advisories in 2026 documenting Chinese and Russian cyber campaigns that increasingly incorporate AI-driven reconnaissance and targeting. Meanwhile, your own AI investments — the models you trained, the data pipelines you built — are themselves valuable targets.

A single fine-tuned foundation model can represent $2–10 million in compute costs, data curation labour, and competitive advantage. Losing it is not a data breach; it is an IP theft event with compounding consequences.

1. AI-Powered Phishing and Deepfake Social Engineering

AI has weaponised social engineering. Large language models generate phishing emails that are grammatically flawless, contextually personalised, and virtually indistinguishable from legitimate correspondence. Deepfake voice and video technology has moved from research labs into active criminal use.

Real-world impact:

  • In 2024, a Hong Kong finance worker was deceived into transferring $25 million after attending a video conference call where every other participant — including the CFO — was a deepfake. This was not a proof of concept; it was a live attack.
  • AI voice cloning now requires as little as 3 seconds of source audio. Commercial tools like ElevenLabs and open-source alternatives have democratised this capability, lowering the barrier from nation-state to individual threat actor.
  • The UK's National Cyber Security Centre (NCSC) has warned that AI is "almost certainly increasing the volume and impact of cyber attacks" — specifically citing phishing as the area seeing the most immediate uplift.

What to do:

  • Implement out-of-band verification for any financial transaction above a defined threshold. A phone call to a known number is no longer sufficient; use a pre-agreed code word or secondary channel.
  • Deploy deepfake detection tools such as Microsoft's Video Authenticator or Reality Defender's API within your communication platforms.
  • Train staff specifically on AI-generated content. Generic "spot the phish" training does not prepare people for a cloned voice on a live call.
  • Budget: Deepfake detection platforms typically run $15,000–50,000/year for enterprise deployment. Put it in context — that is less than 0.2% of what the Hong Kong firm lost.

2. Prompt Injection and AI Agent Security

As organisations deploy AI agents that can read email, execute code, query databases, and take actions on behalf of users, a new class of vulnerability has emerged: prompt injection. An attacker crafts input that causes the AI to ignore its instructions and execute the attacker's will instead.

How it works:

  • Direct prompt injection: An attacker sends a malicious instruction embedded in an email or document. When your AI agent processes it, the agent interprets the hidden instruction as a command — potentially exfiltrating data, sending emails, or modifying records.
  • Indirect prompt injection: The malicious payload is hidden in a webpage, PDF, or data source your AI agent retrieves. The agent never sees the attacker directly; the poisoned content does the work.
  • Agent tool abuse: Agentic AI systems with access to APIs, file systems, or shell commands can be tricked into chaining actions in unintended ways. The ASD ACSC released joint guidance in 2026 specifically warning about the risks of agentic AI services, recommending organisations adopt them "carefully, prioritising secure and resilient use."

What to do:

  • Treat every external input to an AI agent as untrusted. Implement input sanitisation layers between the LLM and external data sources.
  • Enforce the principle of least privilege on AI agent tool access. If your customer service agent does not need database write access, do not give it database write access.
  • Use guardrail frameworks such as NVIDIA NeMo Guardrails, Microsoft's Prompt Shields (built into Azure AI Content Safety), or Lakera Guard to detect and block injection attempts at inference time.
  • Run red-team exercises against your AI agents before deployment. Tools like Garak (the Generative AI Red-teaming and Assessment Kit) automate adversarial testing of LLM vulnerabilities.

3. Model Theft and Data Poisoning

Your AI models are intellectual property, and they are being stolen. Model theft — also called model exfiltration or model skimming — occurs when attackers extract the weights, architecture, or behavioural equivalence of your proprietary model through API access, insider threats, or direct infrastructure compromise.

Model theft scenarios:

  • API-based extraction: An attacker queries your model endpoint thousands of times, then trains a "knock-off" model that mimics its behaviour. Research has shown that attacking commercial APIs like OpenAI's can reproduce model outputs at a fraction of the original training cost.
  • Insider exfiltration: A departing employee copies model weights to a personal device. Given that model files for large models can be tens or hundreds of gigabytes, data loss prevention (DLP) tools that ignore large binary transfers will miss this entirely.
  • Supply chain compromise: A dependency or plugin in your ML pipeline is compromised, silently exfiltrating model artefacts during training or deployment. The same technique used in the SolarWinds attack applies to MLOps tooling.

Data poisoning:

Data poisoning attacks corrupt the training data your models learn from, embedding backdoors or biases that persist undetected. A poisoned model performs normally on standard benchmarks but produces attacker-controlled outputs on specific trigger inputs. This is particularly dangerous for organisations that rely on web-scraped data, user-generated training sets, or third-party data providers.

What to do:

  • Encrypt model weights at rest and in transit. Use hardware security modules (HSMs) or trusted execution environments (TEEs) for inference serving.
  • Implement query-rate limiting and anomaly detection on model APIs. Sudden spikes in API volume with systematically varied inputs are a hallmark of extraction attacks.
  • Apply data provenance tracking to training pipelines. Tools like Dolt (versioned SQL databases) or LakeFS (versioned data lakes) let you track exactly what data entered your model and when.
  • Run model integrity checks. Microsoft's Counterfit and IBM's Adversarial Robustness Toolbox can test for backdoor behaviours in trained models.

4. Governance Frameworks Your Board Actually Needs

Technical controls are necessary but insufficient. AI security demands governance structures that cross traditional silos — blending cybersecurity, data science, legal, and executive oversight.

The NIST AI Risk Management Framework (AI RMF) provides a structured approach organised around four functions: Govern, Map, Measure, and Manage. It is the closest thing to an industry standard and is increasingly referenced in procurement requirements and regulatory expectations.

Practical governance steps:

  1. Establish an AI security working group that includes your CISO, head of data science, legal counsel, and a business stakeholder. Meet monthly. This is not a committee for slide decks; it should have authority to block deployments that fail security review.
  2. Maintain an AI asset inventory. You cannot protect what you do not know about. Document every model in production, its training data provenance, its access controls, and its business criticality.
  3. Define acceptable use policies for AI tools. Cover both internal use (which AI tools employees can use, with what data) and external risk (how AI-generated content is verified before it reaches customers).
  4. Adopt the ASD ACSC's guidance on agentic AI: their 2026 joint advisory on careful adoption of agentic AI services provides a checklist covering access controls, monitoring, and fallback mechanisms specific to autonomous AI agents.
  5. Budget for AI security as a line item. Gartner estimates that by 2027, AI-specific security spending will need to represent at least 10% of total cybersecurity budgets for organisations deploying AI at scale. Most are currently at 1–2%.

FAQ

Q: Is model theft really a practical concern for mid-sized businesses? A: Yes. If you have invested in fine-tuning models on proprietary data, that model encodes competitive advantage. Competitors — or nation-state actors — can steal it via API access or insider threats. The cost to recreate a fine-tuned model from scratch can exceed $5 million; the cost to extract it via API queries is often under $50,000.

Q: How is data poisoning different from a regular data breach? A: A data breach steals data. Data poisoning corrupts it. The damage is not in what the attacker learns — it is in what your AI model learns. A poisoned model can function normally for months, producing correct outputs for most inputs while containing embedded backdoors that the attacker can trigger at will.

Q: Do we need separate security tools for AI, or do existing tools cover it? A: Existing tools cover infrastructure (network security, endpoint protection, identity management) but miss AI-specific risks like prompt injection, model extraction, and adversarial inputs. You need purpose-built AI security tooling — guardrail frameworks, adversarial testing suites, and model monitoring — layered on top of your existing stack.

Q: What should we do first if we have limited budget? A: Start with an AI asset inventory and access control review. Know what models you have, who can access them, and what data they touch. Then implement query-rate limiting on any model-facing API. These two steps address the highest-probability attacks at minimal cost.

Conclusion

AI is simultaneously the most powerful defensive tool and the most dangerous new attack surface your organisation has ever faced. The threats — deepfake fraud that bypasses human judgment, prompt injection that turns your AI agents against you, model theft that steals millions in IP, and data poisoning that corrupts your systems from within — are not theoretical. They are active, escalating, and already being exploited by both criminal and state-sponsored actors.

The organisations that weather this shift will be those that treat AI security as a first-class discipline, not an afterthought appended to existing cybersecurity programmes. Build the governance, deploy the tooling, train your people, and test your systems before someone else tests them for you.

Visit consult.lil.business for a free cybersecurity assessment and find out where your AI investments are exposed.

References

  1. ASD ACSC — Joint Guidance on Agentic AI Services (2026): Guidance on secure adoption of agentic AI, including access controls, monitoring, and fallback mechanisms. https://www.cyber.gov.au/resources-business-and-government/guidance/new-joint-guidance-provides-mitigations-careful-adoption-agentic-ai-services

  2. NIST AI Risk Management Framework (AI RMF 1.0): The foundational US framework for managing AI risk across the Govern, Map, Measure, and Manage functions. https://www.nist.gov/artificial-intelligence/executive-order-safe-secure-and-trustworthy-artificial-intelligence

  3. NCSC UK — The Near-Term Impact of AI on the Cyber Threat: Assessment of how AI is increasing the volume and sophistication of cyber attacks, including phishing and social engineering. https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat

  4. ASD ACSC — Using AI to Strengthen Cyber Defence (2026): Guidance on how organisations can leverage AI defensively while understanding the associated risks. https://www.cyber.gov.au

  5. OWASP Top 10 for Large Language Model Applications: Community-driven list of the most critical vulnerabilities in LLM applications, including prompt injection, supply chain risks, and data leakage. https://owasp.org/www-project-top-10-for-large-language-model-applications/

TL;DR

  • A company called Navia that helps manage benefits (like health savings accounts) got hacked
  • 2.7 million people's personal information was stolen – including names, birthdays, and Social Security Numbers
  • The hackers had access for 3 whole weeks before anyone noticed
  • This shows why businesses need to be careful about which companies they trust with their data
  • Even if you don't use Navia, your employees might be affected

What Happened?

Imagine you give your house key to a friend so they can feed your cat while you're on vacation. But what if that friend leaves the key under the doormat where anyone can find it?

That's kind of what happened with Navia.

Navia is a company that helps businesses manage employee benefits – things like:

  • Health savings accounts (FSA and HSA)
  • Commuter benefits
  • COBRA services (continuing health insurance after leaving a job)

Over 10,000 companies trust Navia with their employees' personal information [1].

In December 2025, hackers broke into Navia's computers. For three whole weeks – from December 22 to January 15, 2026 – they could look at private information without anyone stopping them [2].

What Did the Hackers Steal?

The hackers took personal information about 2.7 million people [3]:

  • Full names
  • Birthdays
  • Social Security Numbers (like a secret ID number for every person in the US)
  • Phone numbers
  • Email addresses
  • Information about health benefits

Think of it like this: If someone steals your backpack, they might get your homework. But if they steal this information, they can pretend to be you, open credit cards in your name, and cause big problems.

Why This Matters (Even If You've Never Heard of Navia)

Here's the tricky part: You might not know Navia, but they might have information about your employees.

How? Because your employees might have:

  • Used Navia at a previous job
  • A spouse who works for a company that uses Navia
  • Health benefits through a different company that uses Navia

When Navia got hacked, information about your employees could have been stolen – even though your business did nothing wrong.

It's like your friend's house getting burglarized because they left your spare key under the doormat. You didn't do anything wrong, but now the burglar has your key too.

Related: 1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today

The "Supply Chain" Problem

This is called a supply chain breach. Let me explain:

Imagine you buy ingredients for a restaurant. You trust the grocery store to sell you good food. But what if the grocery store's supplier sells them spoiled ingredients? Now your customers get sick – even though you bought from a trusted store.

In business, when you hire another company to do work for you (like manage benefits or process payroll), you're trusting them with your data. If they get hacked, you have a problem too.

According to IBM's 2025 report, when a data breach happens through a third-party vendor, it costs businesses an average of $4.88 million – much more than regular breaches [4].

What Businesses Should Do

If you run a business, here's what you should learn from the Navia breach:

1. Know Who Has Your Data

Make a list of every company that handles your employees' information:

  • Benefits companies (health insurance, FSA, HSA)
  • Payroll companies
  • HR software
  • Any other service that has personal information

You can't protect what you don't know about.

2. Check Their Security

Before trusting a company with important data, ask:

  • "How do you protect this information?"
  • "Have you ever had a breach before?"
  • "What will you do if you get hacked?"
  • "Do you have insurance to help fix problems?"

It's like checking if a babysitter has experience before trusting them with your kids.

3. Have a Backup Plan

What would you do if one of your vendors called and said, "We got hacked, and your employees' data was stolen"?

You should plan this before it happens:

  • Who needs to know? (Employees, customers, maybe even the news)
  • What will you tell them?
  • How will you help fix the problem?

Related: Your Business Got Hacked — Now What? A Step-by-Step Incident Response Guide for SMBs

What Employees Should Do

If you receive a letter saying your information was stolen in the Navia breach:

1. Don't Panic – But Don't Ignore It

Getting a breach letter is scary, but you have time to act carefully. Don't click on links in emails that say "fix your credit now" – those might be scams too.

2. Use the Free Credit Monitoring

Navia is offering free credit monitoring for one year through a company called Kroll [5]. This means they'll watch your credit report and tell you if someone tries to open an account in your name.

You should sign up for this. Your breach notification letter will have a special code to enroll.

3. Freeze Your Credit

This is the strongest protection. A credit freeze means:

  • No one can open new credit cards or loans in your name
  • You can still use your existing credit cards
  • It's free to do
  • You have to contact each of the three credit companies separately

To freeze your credit, contact:

4. Watch Out for Scams

When hackers steal personal information, they use it to trick people.

Be careful of:

  • Emails that know your name or birthday (the hackers stole this info!)
  • Text messages claiming to be from Navia or Kroll
  • Phone calls from people offering to "help" you fix the problem

Real companies will NEVER:

  • Ask for your password in an email
  • Ask you to pay money to fix a breach
  • Demand you act immediately or something bad will happen

If you're not sure if something is real, contact the company directly using their official website or phone number (not the one in the suspicious email).

The Big Lesson

The Navia breach teaches us something important: When you trust someone else with important information, their security becomes YOUR problem.

You can lock all your doors and windows, but if you give a spare key to a company that leaves it under the doormat, a burglar can still get in.

For businesses, this means:

  • Carefully choose which companies you trust with employee data
  • Check their security before giving them access
  • Plan ahead for what you'll do if they get breached

For individuals, it means:

  • Take breach notifications seriously – don't ignore them
  • Use free credit monitoring when it's offered
  • Freeze your credit if your Social Security Number is stolen
  • Watch out for scams that use stolen personal information

What to Do Right Now

If you run a business:

  1. Make a list of all companies that handle your employees' data
  2. Ask them about their security practices
  3. Make a plan for what you'll do if one of them gets breached

If you receive a Navia breach letter:

  1. Enroll in the free credit monitoring (use the code in your letter)
  2. Freeze your credit with all three bureaus
  3. Be extra careful about emails, texts, and phone calls
  4. Check your credit reports regularly for the next year

Security isn't just about locking your own doors. It's about making sure everyone you trust with your keys knows how to keep them safe. lilMONSTER helps businesses protect their employees' data by identifying hidden risks, choosing trustworthy vendors, and planning for supply chain breaches before they happen.

Book a free consultation and let's make sure your business doesn't become the next supply chain breach victim.

FAQ

A supply chain breach happens when hackers attack a company that you do business with (like a benefits provider or payroll company), instead of attacking you directly. When that company gets breached, your data or your employees' data can be stolen – even though you did nothing wrong. It's like your friend's house getting burglarized because they left your spare key under the doormat [1][4].

Even if your business doesn't use Navia, your employees might have FSA, HSA, or COBRA accounts through Navia from previous jobs or through a spouse's employer. When their personal information is stolen, hackers can use it to create very convincing phishing attacks that target your business. Plus, if any of your vendors or business partners use Navia, their breach could affect you too [1][3].

First, don't panic – but don't ignore it. Enroll in the free credit monitoring that Navia is offering (your letter will have a code to sign up). Freeze your credit with all three bureaus (Equifax, Experian, TransUnion) – this is free and prevents anyone from opening new credit in your name. Watch out for scams that use your stolen information to trick you. And check your credit reports regularly for the next year [5].

A credit freeze is like locking a door – nobody can open new credit in your name until you unlock it. A fraud alert is like putting up a sign that says "check ID before letting anyone in" – it tells credit companies to verify your identity, but doesn't completely block new credit. A freeze is stronger protection, but both are free and you should use them if your Social Security Number is stolen [5].

Businesses should: (1) Make a list of every company that handles employee data, (2) Check their security before hiring them (ask about their practices, insurance, and past breaches), (3) Put security rules in contracts (like requiring them to tell you immediately if they're hacked), and (4) Make a plan for what you'll do if a vendor gets breached – so you're not scrambling when it happens [4].

References

[1] Tom's Guide, "2.7 million hit in workplace benefits data breach with full names, dates of birth, SSNs and more exposed — what to do now," March 20, 2026. [Online]. Available: https://www.tomsguide.com/computing/online-security/2-7-million-hit-in-workplace-benefits-data-breach-with-full-names-dates-of-birth-ssns-and-more-exposed-what-to-do-now

[2] BleepingComputer, "Navia discloses data breach impacting 2.7 million people," March 20, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/navia-discloses-data-breach-impacting-27-million-people/

[3] Navia Benefit Solutions, "Notice of Data Breach," March 2026. [Online]. Available: https://www.documentcloud.org/documents/27895002-navia-notice/

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Tom's Guide, "2.7 million hit in workplace benefits data breach," March 20, 2026. [Online]. Available: https://www.tomsguide.com/computing/online-security/2-7-million-hit-in-workplace-benefits-data-breach-with-full-names-dates-of-birth-ssns-and-more-exposed-what-to-do-now

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation