A cyberattack on DISA Global Solutions, Inc., a major U.S. provider of employment screening services, has compromised the sensitive personal information of 3,332,750 individuals.
The company confirmed the breach in an official notification sent to affected individuals and filed with state attorneys general. The breach reportedly occurred between February 9, 2024, and April 22, 2024, when DISA discovered unauthorized access to parts of its network. The attack remained undetected for over two months, raising concerns about the company’s cybersecurity measures and response protocols.
DISA provides employment background checks, drug and alcohol testing, and other screening services for over 55,000 businesses, including 30% of Fortune 500 companies. According to DISA’s official disclosure, the affected data may include names, Social Security numbers, driver’s license numbers, financial account information, and other personal identifiers. While DISA stated that there is no evidence of misuse at this time, experts warn that stolen Social Security numbers are particularly valuable to cybercriminals and could be exploited for identity theft.
The company has taken steps to contain the breach, notify law enforcement, and offer 12 months of free credit monitoring and identity restoration services to those impacted.
Why It Matters: This breach reiterates the risks faced by companies that handle large amounts of sensitive personal data, particularly third-party vendors serving major corporations. With DISA taking over two months to detect the intrusion, and still unable to confirm exactly what was stolen, concerns remain about its security monitoring and response. Reports that the company may have paid a ransom to prevent the data from being exposed also raise questions about how organizations handle cyber threats and the tough decisions executives may face in times of crisis.
- Breach Timeline and Exposure: DISA detected unauthorized access on April 22, 2024, but forensic investigations revealed that the breach began on February 9, 2024. The company took over two months to detect and contain the intrusion.
- Affected Population and Notification: The breach impacted 3,332,750 individuals according to regulatory filings. Affected individuals received notification letters and an offer for 12 months of free credit monitoring through Experian.
- Sensitive Data Accessed: While DISA did not confirm exactly what was exfiltrated, exposed data likely includes Social Security numbers, financial account details, government-issued ID numbers, and other personal identifiers. The company also collects employment history, background checks, and health-related data, though it has not disclosed whether these records were compromised.
- Possible Ransom Payment: A now-deleted statement from DISA suggested that the company negotiated with the attackers to prevent the public release of the stolen data. If confirmed, this would align with growing concerns about organizations quietly paying ransoms instead of reporting full details of cyber incidents.
DISA Global Solutions Confirms Data Breach Affecting 3.3M People – Infosecurity Magazine
US Drug Testing Firm DISA says Data Breach Impacts 3.3 Million People – Bleeping Computer
