Full Report
Houston-based employee screening company DISA Global Solutions says a 2024 data breach exposed the information of more than 3.3 million people.
Analysis Summary
# Incident Report: DISA Global Solutions Data Breach
## Executive Summary
DISA Global Solutions, a provider of background checks and drug testing, suffered a data breach in early 2024 that exposed the personal information of over 3.3 million current, former, and prospective employees of its clients. The incident, discovered in April 2024, was attributed to external hacking activity. The impact includes the potential exposure of highly sensitive PII such as Social Security Numbers and financial account details, prompting the organization to offer credit monitoring services.
## Incident Details
- Discovery Date: April 22, 2024
- Incident Date: Began around February 9, 2024
- Affected Organization: DISA Global Solutions
- Sector: Background Check & Employee Screening (Human Resources Technology/Services)
- Geography: Houston-based (Implied US operations)
## Timeline of Events
### Initial Access
- Date/Time: Approximately February 9, 2024
- Vector: External Hacking Source
- Details: Illicit activity began; specific vector not detailed but classified as "hacking."
### Lateral Movement
- *Details not provided in the source material.*
### Data Exfiltration/Impact
- Data exposed may include Name, Social Security Number (SSN), Driver’s License Number, other government ID numbers, financial account information, and other PII for over 3.3 million individuals.
### Detection & Response
- Detection Date: April 22, 2024.
- Response actions: DISA notified Maine regulators and offered affected individuals credit monitoring services through Experian.
## Attack Methodology
- Initial Access: Hacking from an external source.
- Persistence: *Not specified.*
- Privilege Escalation: *Not specified.*
- Defense Evasion: *Not specified.*
- Credential Access: *Not specified.*
- Discovery: *Not specified.*
- Lateral Movement: *Not specified.*
- Collection: Data elements, including sensitive PII, were collected.
- Exfiltration: *Attributed to the hacking activity, but specific methods not detailed.*
- Impact: Exposure of PII for over 3.3 million people.
## Impact Assessment
- Financial: *Not specified (though remediation/notification costs likely incurred).*
- Data Breach: Information for over 3.3 million people, potentially including SSNs, driver's license numbers, and financial account information.
- Operational: *No direct operational disruption mentioned, but service integrity is compromised.*
- Reputational: Negative impact due to exposure of sensitive client and employee data for a major screening provider.
## Indicators of Compromise
- Network indicators: *None provided (defanged).*
- File indicators: *None provided.*
- Behavioral indicators: Unauthorized activity traced back to February 9, 2024.
## Response Actions
- Containment measures: *Not specified, but inferred by finalization of the breach timeline.*
- Eradication steps: *Implied through stopping the illicit activity.*
- Recovery actions: Offering credit monitoring through Experian to affected parties.
## Lessons Learned
- Key takeaways: Third-party data processors (like DISA, which serves 30% of Fortune 500 companies) represent a significant concentration risk for PII.
- What could have been done better: Improved threat detection capabilities, as the gap between initial compromise (Feb 9) and discovery (Apr 22) was over two months.
## Recommendations
- Strengthen perimeter security defenses, especially against external hacking attempts, given the nature of the attack.
- Implement enhanced monitoring and User and Entity Behavior Analytics (UEBA) to detect unauthorized data staging or exfiltration earlier than the two-month delay seen in this incident.
- Review existing data retention policies to minimize the volume of highly sensitive PII (like SSNs) held on behalf of clients.