A data breach at DISA Global Solutions exposes sensitive info of 3.3 million individuals, including SSNs, financial details, and ID documents.

Continue reading
DISA Global Solutions, a leading U.S.-based provider of employee screening services, has reported a significant data breach impacting over 3.3 million individuals. This breach compromises sensitive personal data, raising concerns regarding the security practices of a major player in the employee screening and compliance sector.
On April 22, 2024, DISA Global Solutions filed an official report with Maine’s Attorney General confirming that a cyber incident had affected a "limited portion" of its internal network. This breach occurred on February 9, 2024, and went undetected for more than two months, compromising a wide range of personal data.
According to a separate filing with the Massachusetts Attorney General, DISA revealed that the compromised data includes:
Over 360,000 residents of Massachusetts were directly impacted by this breach, though the full scope remains unclear. It is important to note that DISA has yet to definitively confirm which data was specifically exfiltrated, suggesting limitations in their security logging and monitoring systems.
The breach affects individuals who underwent various employee screening tests. These screenings include sensitive data such as:
Given the nature of DISA’s services, which cater to over 55,000 enterprises (including major corporations such as Fortune 500 companies), the breach has widespread implications. The company’s lack of clear technical logs means that the total exposure of data remains uncertain.
DISA’s internal investigation has not identified the perpetrators of the cyberattack. As of the latest update, it remains unclear how the breach occurred or the specific methodology used by the attacker to infiltrate DISA's systems. Furthermore, there is a significant delay in informing affected individuals, raising concerns about the company’s crisis management protocols and internal security measures.
DISA has assured the public that they are working to contain the breach and prevent further unauthorized access. They have also initiated procedures to notify all individuals whose data was compromised. However, questions persist about their ability to track and monitor unauthorized data access, given the lack of logs and transparency in their internal response.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been