DISA Global Solutions, a Houston-based provider of employee background checks, disclosed a significant cybersecurity incident on April 22, 2024, that had exposed the personal information of over 3.3 million individuals, including 15,198 residents of Maine. The breach occurred on February 9, 2024, but the intrusion went undetected for 76 days, raising concerns about the company’s network monitoring practices. Hackers accessed systems containing sensitive employee screening data, which included Social Security numbers, employment histories, and criminal background information. The breach’s delayed discovery has sparked worries about potential data exfiltration and the establishment of persistent access by the attackers.
The breach was the result of an external hacking incident targeting DISA’s infrastructure. The compromised data could lead to identity theft and financial fraud due to the combination of names with sensitive personal identifiers. DISA’s role as a third-party service provider for employers, including those in critical sectors such as healthcare and transportation, magnifies the gravity of the incident. Despite the lack of specific details regarding the exact nature of the compromised data, privacy advocates remain concerned, particularly about the potential access to financial and biometric information.
DISA began notifying affected individuals on February 21, 2024, though this was 12 days before the breach was discovered. They offered 12 months of free credit monitoring and identity theft protection in partnership with Experian. However, the company has not provided specific information about whether it has implemented stronger security measures such as encryption or multi-factor authentication after the incident. Legal counsel for DISA has confirmed that they are cooperating with federal investigators, but to date, there has been no evidence of data misuse. Still, the company faces potential litigation due to the scale of the breach and its significant impact on privacy.
The breach has raised broader concerns about the security of centralized employee data repositories, particularly as the breach has affected millions across various industries. With the potential for litigation and further regulatory investigations, including under the FTC’s Safeguards Rule and state privacy laws, DISA faces ongoing scrutiny. For those impacted, experts recommend enrolling in the provided credit monitoring service, placing fraud alerts with credit bureaus, and monitoring financial and employment records for unauthorized activity. This incident serves as a cautionary tale for the growing employee screening industry, especially as digitized records become increasingly prevalent.
Reference:
