DISA Global Solutions, a company based in the United States that provides employee screening services, has reported a data breach impacting over 3.3 million individuals. DISA, which offers services such as drug and alcohol testing and background checks to more than 55,000 businesses, including a third of the Fortune 500 companies, disclosed the breach in a filing with the Maine attorney general on Monday.
The company revealed that a “cyber incident” affecting a “limited portion” of its network was discovered on April 22, 2024. An internal investigation concluded that an intruder had accessed DISA’s network on February 9, 2024, and remained undetected for more than two months.
In communication with those affected by the breach, which includes people who underwent employee screening tests, DISA stated that the attacker had “procured some information” from its systems. A separate filing with the Massachusetts attorney general confirmed that the compromised data included Social Security numbers, financial account details, such as credit card numbers, and government-issued identification documents. Over 360,000 Massachusetts residents are among those affected.
Despite this, DISA’s data breach notification letter indicated that it could not conclusively identify the specific data accessed, suggesting the company lacks the technical capability to determine what internal data was accessed or exfiltrated. The company’s website details that it collects various personal and sensitive information, including job history, educational background, criminal records, and credit history.
The identity of the individuals behind the cyberattack and the methods used to compromise the organization are still unknown. It also remains unclear why there was a delay in notifying those impacted by the breach. DISA has not yet responded to inquiries from TechCrunch regarding the incident.