TL;DR

Ransomware and supply chain breaches now cost businesses an average of $5.08 million per incident in 2026, with US companies facing costs exceeding $10.22 million on average. Capita paid a record £14 million ($18.7 million) fine after a 2023 breach exposed 6.6 million people's financial data; CNA Financial paid a $40 million ransom settlement in 2021; and supply chain compromises cost 17 times more to remediate than direct attacks. Most of these losses were preventable with basic controls: multi-factor authentication, air-gapped backups, and third-party risk assessments.​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Staggering Price Tag of "It Won't Happen to Us"

The numbers are no longer abstract. In 2026, the global average cost of a ransomware breach sits at $5.08 million according to IBM's latest Cost of a Data Breach report. US businesses fare even worse — the average breach now exceeds $10.22 million. Total global ransomware damage is projected to hit $74 billion this year, according to Cybersecurity Ventures. Behind every statistic is a real company that assumed it was protected enough. Here are three cases where that assumption cost millions.

Capita: The £14 Million "No Evidence" Mistake

What happened: In March 2023, the UK's largest outsourcing firm Capita suff

ered a ransomware attack. The company initially stated publicly there was "no evidence of customer, supplier or colleague data having been compromised." That statement turned out to be catastrophically wrong. Attackers exfiltrated the personal data of 6.6 million people — including names, addresses, dates of birth, credit card numbers, and CVV security codes.​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The bill: In 2025, the UK's Information Commissioner's Office (ICO) fined Capita a combined £14 million ($18.7 million). This was the largest fine ever issued by the ICO in a ransomware case and was reduced from an initial £45 million ($60 million) penalty. The ICO received complaints from individuals whose bank accounts had been drained as a direct result of the stolen data.

How it could have been prevented: The ICO's investigation found Capita "lacked the appropriate technical and organisational measures to effectively respond to the attack." Basic segmentation of its pension systems from the rest of the corporate network would have contained the blast radius. Encrypting financial data at rest would have rendered the stolen credit card numbers useless. A tested incident response plan — and honest breach disclosure from day one — could have reduced the regulatory penalty substantially.

CNA Financial: A $40 Million Ransom Settlement

What happened: In March 2021, CNA Financial — one of the largest insurance companies in the United States — was hit by a ransomware attack. The attackers, reportedly demanding $60 million, encrypted corporate data and threatened to leak it publicly.

The bill: CNA paid $40 million to the attackers. This remains one of the largest confirmed ransomware settlements on record. The payment didn't include the additional costs of system restoration, forensic investigation, legal fees, regulatory scrutiny, and reputational damage — costs that typically double or triple the visible number.

How it could have been prevented: The median ransom payment has surged from under $199,000 in early 2023 to $1.5 million by mid-2024, but the largest payment on record — $75 million by an undisclosed Fortune 50 company to the Dark Angels group — shows attackers are getting bolder. CNA's case highlights the value of immutable, air-gapped backups tested regularly. If a company can restore operations without paying, the attacker's leverage vanishes. CNA, as an insurer, also should have had the most hardened security posture in the room — a painful irony not lost on the cybersecurity community.

The Supply Chain Multiplier: 17x the Damage

What's happening: IBM's 2025 report confirms that supply chain compromises now cost 17 times more to remediate than direct attacks. The average time to identify and contain a supply chain breach is 267 days — nearly nine months of attackers moving laterally through trusted vendor relationships before anyone notices.

The attack surface is every vendor with network access, every software dependency in your stack, every third party that processes your data. Gartner had predicted that by 2025, 45% of organizations would experience attacks on their software supply chains. The reality has validated those warnings.

The bill: Healthcare is the hardest-hit sector, with breach costs averaging $11.2 million. When a healthcare supply chain vendor is compromised, patient data from dozens of downstream providers can be exposed simultaneously — multiplying the cost for everyone involved. Stolen credentials remain the most expensive attack vector, taking an average of 292 days to resolve.

How it can be prevented: Vendor risk assessments aren't a one-time checkbox. Every third party with access to your systems needs ongoing monitoring. The NIST Cybersecurity Framework and ISO/IEC 27001 provide structured approaches to supply chain risk management. Technical controls — API access restrictions, network segmentation, least-privilege access — prevent one compromised vendor from becoming every vendor's problem.

What Your Business Should Do This Week

These aren't hypotheticals. The same attack patterns that cost Capita £14 million and CNA $40 million are scanning your network right now. Here are three actions you can complete by Friday:

  1. Test your backups. Not "check that the backup job ran." Actually restore a critical system from backup to verify the data is intact and the process works. If your backups are on the same network as production, they're not backups — they're another target.

  2. Enable multi-factor authentication everywhere. Stolen credentials are the costliest attack vector. MFA on every external-facing service — email, VPN, cloud consoles, remote desktop — stops credential theft from becoming a breach. This is the single highest-ROI security control available.

  3. Audit your third-party access. List every vendor, partner, and contractor with network access, API keys, or data processing agreements. For each one, ask: what's the minimum access they actually need? Remove everything else. Supply chain attacks multiply costs 17x; shrinking the vendor attack surface shrinks that multiplier.

FAQ

Q: My business is small — are we really a target?

A: Yes. Attackers automate their scanning. They don't care about your revenue — they care about whether your door is unlocked. The average ransomware recovery cost (excluding ransom) dropped to $1.53 million in 2025, but that's still an extinction-level event for most small businesses. Criminals know this and price their ransom demands accordingly — often set at what your cyber insurance policy will cover.

Q: Should we pay the ransom if we get hit?

A: The data says no. In 2024, total crypto ransom payments tracked by blockchain analysis fell 35% year-over-year to $813 million — not because attacks decreased, but because more organizations are refusing to pay. Law enforcement agencies including the DOJ and ACSC strongly advise against payment. Paying also marks you as a repeat target. Invest in restoration capability instead.

Q: What's the single most effective thing we can do with a limited budget?

A: Multi-factor authentication plus offline backups. MFA blocks the most common initial access vector (stolen credentials). Offline backups remove the attacker's negotiating power. Together, they cost almost nothing compared to the average breach.

Q: How long does it take to recover from a ransomware attack?

A: The average time to identify and contain a breach is 267 days according to IBM's data. Full operational recovery often takes months beyond containment. The businesses that recover fastest are the ones that practiced their incident response plan before they needed it.

Conclusion

Capita's £14 million fine. CNA's $40 million ransom. Supply chain compromises multiplying damage 17-fold. These aren't edge cases — they're the new normal. The companies that survived these incidents didn't have exotic security tools. They lacked the fundamentals that cost almost nothing to implement: tested backups, MFA, and visibility into who has access to what.

Don't wait for the breach to find out what your security gaps actually cost. The average breach in the US now exceeds $10 million. For a mid-market business, that's not a line item — it's the end of the company.

Visit consult.lil.business for a free cybersecurity assessment. We'll help you identify the gaps before someone else does.

References

  1. IBM Cost of a Data Breach Report 2025
  2. ICO Fines Capita £14m Over Ransomware Data Breach 2023
  3. Fortinet — Recent Ransomware Payments and Settlements (CNA Financial, Colonial Pipeline)
  4. Cybersecurity Ventures — Ransomware Damage to Cost $74B in 2026
  5. Programs.com — 2026 Ransomware Cost Statistics
  6. CyberLab — Supply Chain Risk in 2026

TL;DR

  • A company called Navia that helps manage benefits (like health savings accounts) got hacked
  • 2.7 million people's personal information was stolen – including names, birthdays, and Social Security Numbers
  • The hackers had access for 3 whole weeks before anyone noticed
  • This shows why businesses need to be careful about which companies they trust with their data
  • Even if you don't use Navia, your employees might be affected

What Happened?

Imagine you give your house key to a friend so they can feed your cat while you're on vacation. But what if that friend leaves the key under the doormat where anyone can find it?

That's kind of what happened with Navia.

Navia is a company that helps businesses manage employee benefits – things like:

  • Health savings accounts (FSA and HSA)
  • Commuter benefits
  • COBRA services (continuing health insurance after leaving a job)

Over 10,000 companies trust Navia with their employees' personal information [1].

In December 2025, hackers broke into Navia's computers. For three whole weeks – from December 22 to January 15, 2026 – they could look at private information without anyone stopping them [2].

What Did the Hackers Steal?

The hackers took personal information about 2.7 million people [3]:

  • Full names
  • Birthdays
  • Social Security Numbers (like a secret ID number for every person in the US)
  • Phone numbers
  • Email addresses
  • Information about health benefits

Think of it like this: If someone steals your backpack, they might get your homework. But if they steal this information, they can pretend to be you, open credit cards in your name, and cause big problems.

Why This Matters (Even If You've Never Heard of Navia)

Here's the tricky part: You might not know Navia, but they might have information about your employees.

How? Because your employees might have:

  • Used Navia at a previous job
  • A spouse who works for a company that uses Navia
  • Health benefits through a different company that uses Navia

When Navia got hacked, information about your employees could have been stolen – even though your business did nothing wrong.

It's like your friend's house getting burglarized because they left your spare key under the doormat. You didn't do anything wrong, but now the burglar has your key too.

Related: 1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today

The "Supply Chain" Problem

This is called a supply chain breach. Let me explain:

Imagine you buy ingredients for a restaurant. You trust the grocery store to sell you good food. But what if the grocery store's supplier sells them spoiled ingredients? Now your customers get sick – even though you bought from a trusted store.

In business, when you hire another company to do work for you (like manage benefits or process payroll), you're trusting them with your data. If they get hacked, you have a problem too.

According to IBM's 2025 report, when a data breach happens through a third-party vendor, it costs businesses an average of $4.88 million – much more than regular breaches [4].

What Businesses Should Do

If you run a business, here's what you should learn from the Navia breach:

1. Know Who Has Your Data

Make a list of every company that handles your employees' information:

  • Benefits companies (health insurance, FSA, HSA)
  • Payroll companies
  • HR software
  • Any other service that has personal information

You can't protect what you don't know about.

2. Check Their Security

Before trusting a company with important data, ask:

  • "How do you protect this information?"
  • "Have you ever had a breach before?"
  • "What will you do if you get hacked?"
  • "Do you have insurance to help fix problems?"

It's like checking if a babysitter has experience before trusting them with your kids.

3. Have a Backup Plan

What would you do if one of your vendors called and said, "We got hacked, and your employees' data was stolen"?

You should plan this before it happens:

  • Who needs to know? (Employees, customers, maybe even the news)
  • What will you tell them?
  • How will you help fix the problem?

Related: Your Business Got Hacked — Now What? A Step-by-Step Incident Response Guide for SMBs

What Employees Should Do

If you receive a letter saying your information was stolen in the Navia breach:

1. Don't Panic – But Don't Ignore It

Getting a breach letter is scary, but you have time to act carefully. Don't click on links in emails that say "fix your credit now" – those might be scams too.

2. Use the Free Credit Monitoring

Navia is offering free credit monitoring for one year through a company called Kroll [5]. This means they'll watch your credit report and tell you if someone tries to open an account in your name.

You should sign up for this. Your breach notification letter will have a special code to enroll.

3. Freeze Your Credit

This is the strongest protection. A credit freeze means:

  • No one can open new credit cards or loans in your name
  • You can still use your existing credit cards
  • It's free to do
  • You have to contact each of the three credit companies separately

To freeze your credit, contact:

4. Watch Out for Scams

When hackers steal personal information, they use it to trick people.

Be careful of:

  • Emails that know your name or birthday (the hackers stole this info!)
  • Text messages claiming to be from Navia or Kroll
  • Phone calls from people offering to "help" you fix the problem

Real companies will NEVER:

  • Ask for your password in an email
  • Ask you to pay money to fix a breach
  • Demand you act immediately or something bad will happen

If you're not sure if something is real, contact the company directly using their official website or phone number (not the one in the suspicious email).

The Big Lesson

The Navia breach teaches us something important: When you trust someone else with important information, their security becomes YOUR problem.

You can lock all your doors and windows, but if you give a spare key to a company that leaves it under the doormat, a burglar can still get in.

For businesses, this means:

  • Carefully choose which companies you trust with employee data
  • Check their security before giving them access
  • Plan ahead for what you'll do if they get breached

For individuals, it means:

  • Take breach notifications seriously – don't ignore them
  • Use free credit monitoring when it's offered
  • Freeze your credit if your Social Security Number is stolen
  • Watch out for scams that use stolen personal information

What to Do Right Now

If you run a business:

  1. Make a list of all companies that handle your employees' data
  2. Ask them about their security practices
  3. Make a plan for what you'll do if one of them gets breached

If you receive a Navia breach letter:

  1. Enroll in the free credit monitoring (use the code in your letter)
  2. Freeze your credit with all three bureaus
  3. Be extra careful about emails, texts, and phone calls
  4. Check your credit reports regularly for the next year

Security isn't just about locking your own doors. It's about making sure everyone you trust with your keys knows how to keep them safe. lilMONSTER helps businesses protect their employees' data by identifying hidden risks, choosing trustworthy vendors, and planning for supply chain breaches before they happen.

Book a free consultation and let's make sure your business doesn't become the next supply chain breach victim.

FAQ

A supply chain breach happens when hackers attack a company that you do business with (like a benefits provider or payroll company), instead of attacking you directly. When that company gets breached, your data or your employees' data can be stolen – even though you did nothing wrong. It's like your friend's house getting burglarized because they left your spare key under the doormat [1][4].

Even if your business doesn't use Navia, your employees might have FSA, HSA, or COBRA accounts through Navia from previous jobs or through a spouse's employer. When their personal information is stolen, hackers can use it to create very convincing phishing attacks that target your business. Plus, if any of your vendors or business partners use Navia, their breach could affect you too [1][3].

First, don't panic – but don't ignore it. Enroll in the free credit monitoring that Navia is offering (your letter will have a code to sign up). Freeze your credit with all three bureaus (Equifax, Experian, TransUnion) – this is free and prevents anyone from opening new credit in your name. Watch out for scams that use your stolen information to trick you. And check your credit reports regularly for the next year [5].

A credit freeze is like locking a door – nobody can open new credit in your name until you unlock it. A fraud alert is like putting up a sign that says "check ID before letting anyone in" – it tells credit companies to verify your identity, but doesn't completely block new credit. A freeze is stronger protection, but both are free and you should use them if your Social Security Number is stolen [5].

Businesses should: (1) Make a list of every company that handles employee data, (2) Check their security before hiring them (ask about their practices, insurance, and past breaches), (3) Put security rules in contracts (like requiring them to tell you immediately if they're hacked), and (4) Make a plan for what you'll do if a vendor gets breached – so you're not scrambling when it happens [4].

References

[1] Tom's Guide, "2.7 million hit in workplace benefits data breach with full names, dates of birth, SSNs and more exposed — what to do now," March 20, 2026. [Online]. Available: https://www.tomsguide.com/computing/online-security/2-7-million-hit-in-workplace-benefits-data-breach-with-full-names-dates-of-birth-ssns-and-more-exposed-what-to-do-now

[2] BleepingComputer, "Navia discloses data breach impacting 2.7 million people," March 20, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/navia-discloses-data-breach-impacting-27-million-people/

[3] Navia Benefit Solutions, "Notice of Data Breach," March 2026. [Online]. Available: https://www.documentcloud.org/documents/27895002-navia-notice/

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Tom's Guide, "2.7 million hit in workplace benefits data breach," March 20, 2026. [Online]. Available: https://www.tomsguide.com/computing/online-security/2-7-million-hit-in-workplace-benefits-data-breach-with-full-names-dates-of-birth-ssns-and-more-exposed-what-to-do-now

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation