DISA Global Solutions, a US-based firm conducting employee background checks and drug screening tests for a large number of Fortune 500 companies, reported on Tuesday that a breach last spring exposed the records of more than 3.3 million individuals for over 2 months.
Reported on February 21st, nearly a year after the “cyber incident” took place, DISA filed a breach notification with the Maine Attorney General’s office last Friday, revealing that the personal information of 3,332,750 individuals was compromised in the hack – including social security numbers, credit card account numbers and more.
The threat actors responsible for the “external system breach” were said to have had access to DISA’s network for more than two months, starting on February 9th, 2024, and ending on April 22nd, 2024, when the breach was reportedly discovered.
Possible ransom paid
"Additionally, a now-deleted notice indicated that DISA Global Solutions may have paid a ransom demand," said Nick Tausek, Lead Security Automation Architect at Swimlane.
“This information is a stark reminder to organizations that paying ransoms does not guarantee that stolen data will be deleted and may even further incentivize threat actors to conduct future attacks,” Tausek said.
DISA is listed as the top employee screening and compliance services company for over 55,000 companies in the US and Europe – 30% of them Fortune 500 companies – covering myriad industry sectors, including financial and professional services, diversified industrial, retail, hospitality, media and entertainment, and health and life sciences.
Pre-employee background checks typically include a trove of sensitive personal data, including driving records, credit history, criminal and sex offender records, professional licenses and sanctions, drug screenings, education history, employment history, and bank account information.
Background check firms are "prime targets"
Cory Michal, CSO at security company AppOmni told Cybernews that background check companies are "prime targets" for cybercriminals because of the vast amounts of highly sensitive data that they store, calling them a “one-stop shop for identity theft, fraud, and social engineering attacks.”
“Unlike financial institutions, which must adhere to strict cybersecurity regulations, these companies often operate with less security budget and weaker security controls, making them more vulnerable to attacks,” Michal said, adding that their extensive data retention practices “further increase that risk.”
“Additionally, many background check firms lack advanced monitoring and forensic capabilities, leading to prolonged undetected breaches, as seen in the DISA Global Solutions breach,” Michal said.
DISA, which also posted a notice on its website, stated the breach had only “impacted a limited portion of our network” and that it had “immediately contained the incident and initiated an investigation with the assistance of third-party forensic experts.”
Unknown amount of data stolen
Still, DISA admitted in its notice that even with a “detailed and time-intensive review,” the company “could not definitively conclude the specific data procured,” meaning DISA can not be sure what personal information the hackers accessed or how much of that information was exfiltrated from its systems.
According to the Massachusetts State Attorney General’s Breach Report Tracker, sensitive information exposed in the breach does include (but is not limited to):
- Social security numbers
- Financial accounts
- Driver’s license
- Credit/debit card account numbers
The company further said it sent out notification letters to those individuals affected by the breach.
“We are writing to inform you about an incident experienced by DISA that may have involved some of your personal information, which came into our possession due to the employee screening services you may have completed with your current or former employer or a prospective employer,” the letter states.
Tausek says that while DISA is offering 12 months of free credit monitoring and identity theft protection and has set up a dedicated hotline for those who need further information, "these efforts fall short of addressing the root cause."
"Organizations must go beyond damage control and focus on strengthening their threat detection, response, and remediation efforts," Tausek said, adding that "cyber resilience isn’t just about responding to breaches, it’s about getting ahead of them before they happen."
"By leveraging AI-driven security automation, security teams can detect anomalies before they escalate into large-scale breaches, reducing both risk and response time," he said.
The company's breach notice states that since discovering the hack, it has not only secured its IT environment and safely restored its systems and operations but has also implemented additional security measures to prevent future incidents.
Headquartered in Houston, with more than 35 offices throughout North America and Europe, DISA’s comprehensive scope of services includes drug and alcohol testing, background screening, occupational health, and transportation compliance, the company’s website states.
Cybernews has reached out to DISA for comment, and is awaiting a response.
Your email address will not be published. Required fields are markedmarked