Employee screening company breach exposed PII of more than 3 million

A year after it suffered a significant data breach on February 9, 2024, last week Houston, Texas-based DISA Global Solutions – a provider of employee screening, compliance, and safety solutions for businesses across industries – began notifying affected individuals of the breach. DISA is offering 12 months of complimentary credit monitoring services through Experian to mitigate the potential risks associated with the compromise of their personally identifiable information (PII).

The data breach, which went undetected until April 22, 2024, compromised the PII of an estimated 3,332,750 people. During this period, sensitive data – including Social Security numbers, financial account details, and government-issued identification documents – were exposed.

Upon discovering the breach, DISA said it promptly launched an internal investigation and engaged third-party forensic experts to assess the extent of the intrusion. In response to its internal investigation, DISA said it began notifying affected individuals on February 21 of last week. The letters provide victims with a list of what information belonging to them was compromised.

In a notice on its website, the company said “the personal information contained in these files may have included name, social security number, driver’s license number, other government ID numbers, financial account information, and other data elements.” DISA added that “not every data element was present for every individual.”

DISA said that “although our forensics investigation could not definitively conclude the specific information procured, the affected files contained individuals’ personal information, which came into our possession due to the employment screening services we provide employers and prospective employers.”

DISA said it is “unaware of any attempted or actual misuse of any information involved in this incident.”

February 21 was the same day the company filed a notice of data breach with the Attorney General of Maine. In the notice, DISA explained that the incident resulted in an unauthorized party being able to access consumers’ sensitive information. DISA said it contained the incident and launched an investigation with the help of third-party cybersecurity experts. Through this investigation, DISA confirmed that an unauthorized party had accessed its IT network between February 9, 2024, and April 22, 2024, including files containing confidential consumer information.  Upon completing its investigation, DISA said it began sending out data breach notification letters to all individuals whose information was affected by the data security incident.

The breach has raised concerns due to the nature of DISA’s services, which involve handling extensive sensitive personal data for background checks, drug testing, and compliance solutions across various industries. The company has since implemented enhanced security measures to prevent future incidents and has notified law enforcement authorities to aid in the investigation. As of now, the identity of the perpetrators and the exact method of system compromise remain undisclosed.

In light of this event, affected individuals are advised to remain vigilant by monitoring their financial accounts and personal information for any signs of misuse. Enrolling in credit monitoring services and regularly reviewing credit reports can help detect and prevent potential identity theft or financial fraud resulting from the breach.

“Two dimensions of this cyber incident are notable” said Jim Routh, Chief Trust Officer at cybersecurity company Saviynt. “The first is that SSNs were exfiltrated for individuals and these are easily monetized by threat actors. Storing SSNs for any purpose should require a higher level of security and using SSN to identify digital consumers is an obsolete data management practice.”

“The second dimension is the root cause of the breach is not provided so it is not clear what steps DISA took to reduce the probability of this happening again,” Routh said. “Cyber incidents occur in all enterprises so missing an opportunity to make adjustments to controls and processes based on the learnings applied from previous breaches is an indication of cyber resilience and a positive indicator. In this case, there is no indication of cyber resilience.”

The delay in DISA Global Solutions notifying affected individuals about the data breach nearly a year after the initial intrusion also has raised concerns. The delay is notably longer than in many other high-profile breaches, which has raised concerns about whether affected individuals had enough time to take preventive measures such as credit monitoring and identity theft protection. By the time the notifications began this month, some individuals may have already been exposed to fraud risks without realizing the source of their compromised information.

“The delay in detecting and reporting the breach raises pressing questions about the ongoing monitoring and incident response strategies employed by DISA. Regulatory implications aside, the slow acknowledgment and mitigation could erode the very trust DISA seeks to build with its partners and the individuals it screens,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “Providing identity theft protection services post-breach, while necessary, is merely a reactive measure. It is imperative for organizations, especially those like DISA that handle vast amounts of personal data, to adopt a more proactive stance on cybersecurity. This includes continuous monitoring, employing advanced threat detection technologies, and fostering a culture of security awareness throughout the organization.”

“As the investigation unfolds,” Malik added, “it will be crucial for DISA and its stakeholders to thoroughly understand how the attackers circumvented their defenses and to implement robust measures to prevent future incidents.”

Several proposed class-action lawsuits have been filed against DISA, and law firms across the nation are actively courting clients. The company is already facing lawsuits over allegations made by dozens of workers that drug screening tests DISA performed for businesses returned false positives, causing some workers to be fired.

Article Topics

background checks  |  biometrics  |  cybersecurity  |  data privacy  |  data protection  |  digital identity  |  DISA  |  KnowBe4  |  Saviynt