DISA Global Solutions, a provider of employee screening services based in the United States, has reported a data breach impacting over 3.3 million individuals.
The company, which offers services such as drug and alcohol testing and background checks to more than 55,000 enterprises, including one-third of the Fortune 500 companies, confirmed the breach in a notification filed with the attorney general of Maine.
DISA identified a “cyber incident” affecting a “limited portion” of its network on April 22, 2024. An internal investigation revealed that a hacker had accessed the company’s network on February 9, 2024, remaining undetected for over two months.
In communications with affected individuals, who include those who have undergone employee screening tests, DISA acknowledged that the attacker “procured some information” from its systems.
A separate notification to the Massachusetts attorney general confirmed that the compromised data included Social Security numbers, financial account details such as credit card numbers, and government-issued identification documents. According to this filing, over 360,000 residents of Massachusetts were affected.
However, DISA’s data breach notification letter noted that the company “could not definitively conclude the specific data procured,” indicating a lack of technical capability, such as logging, to determine what internal data was accessed or extracted.
DISA’s website states that the company gathers extensive personal and sensitive information, including data related to an applicant’s work history, educational background, criminal records, and credit history.
The identity of the perpetrators and the method of compromise have not yet been determined. Additionally, the reason for the delayed notification to affected individuals remains unclear.
DISA has not yet responded to inquiries from TechCrunch.
