Full Report
DISA Global Solutions confirms data breach affecting 3.3M people, exposing sensitive personal info
Analysis Summary
# Incident Report: DISA Global Solutions Data Breach Affecting 3.3 Million Individuals
## Executive Summary
DISA Global Solutions confirmed a data breach where an unidentified attacker accessed their network between February 9 and April 22, 2024, exposing the sensitive personal information of over 3.3 million individuals undergoing employment screenings. The impact involved the likely exfiltration of Social Security numbers (SSNs), financial details, and other identifiers, prompting DISA to offer affected parties credit monitoring services. Experts criticized the organization for the delayed detection and the inherent risk associated with storing highly sensitive data like SSNs.
## Incident Details
- Discovery Date: April 22, 2024
- Incident Date: Between February 9, 2024, and April 22, 2024
- Affected Organization: DISA Global Solutions, Inc.
- Sector: Employment Screening/Background Checks Administration
- Geography: Not explicitly specified, likely US-based operations.
## Timeline of Events
### Initial Access
- Date/Time: Unknown, intrusion began on or around February 9, 2024.
- Vector: **Unauthorized access** to a limited portion of the network. The specific initial vector was **not provided** in the report.
- Details: An unidentified attacker gained access to systems where sensitive screening data was housed.
### Lateral Movement
- Details: Attackers maintained access between February 9 and the discovery date of April 22, 2024, implying movement or persistent access across the compromised segment.
### Data Exfiltration/Impact
- Date/Time: Occurred between Feb 9 and Apr 22, 2024.
- Details: Sensitive Personal Information (SPI) was exfiltrated. Files likely contained names, **Social Security numbers (SSNs)**, driver's license numbers, and **financial account information**.
### Detection & Response
- Date/Time: Detected on April 22, 2024.
- Details: DISA detected unauthorized access, launched an internal investigation assisted by third-party forensic experts, took immediate action to contain the breach, notified authorities, and restored operations.
## Attack Methodology
- Initial Access: **Unauthorized Access** (Specific vector unknown).
- Persistence: Maintained access for approximately 10 weeks (Feb 9 to Apr 22).
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, but the long dwell time suggests successful evasion of existing monitoring.
- Credential Access: Not detailed, but required access to sensitive PII mandates some form of credential compromise or system exploitation.
- Discovery: Not detailed.
- Lateral Movement: Implied by the extended access window relating to compromised data stores.
- Collection: Gathering of Personal Identifiable Information (PII), including SSNs and financial data.
- Exfiltration: Data was taken from the compromised systems; confirmation of the exact volume taken was not confirmed by DISA but the impact suggests large-scale theft.
- Impact: Theft of highly monetizable PII, specifically SSNs.
## Impact Assessment
- Financial: Estimated costs not disclosed, but significant costs associated with response, notification, and monitoring services.
- Data Breach: Exposure affecting over **3.3 million individuals**. Data types included names, **SSNs**, driver's license numbers, and **financial account information**.
- Operational: The company confirmed restoring operations following containment.
- Reputational: Significant concern raised regarding the security posture of employment screening administrators handling highly sensitive data.
## Indicators of Compromise
- *Network indicators*: No specific IP addresses or domains were provided.
- *File indicators*: No specific file hashes were provided.
- *Behavioral indicators*: Extended dwell time (over two months) suggesting potential lack of robust Network Detection and Response (NDR) or inability to detect anomalous data access patterns.
## Response Actions
- **Containment & Investigation:** Immediate action taken upon discovery on April 22, 2024, including engaging third-party forensic experts.
- **Notification:** Affected individuals were notified directly by DISA. Authorities were notified.
- **Remediation & Mitigation:** Security protocols were enhanced.
- **Victim Support:** Offering affected parties 12 months of free credit monitoring and identity restoration services via Experian, alongside access to a dedicated assistance line.
## Lessons Learned
- The long dwell time (over 10 weeks) indicates significant weaknesses in monitoring, threat hunting, or incident detection capabilities.
- Storing SSNs requires a significantly higher security standard due to their high monetization value for threat actors.
- Relying solely on reactive measures (like credit monitoring post-breach) is insufficient; proactive security posture enhancement is crucial, especially for third-party data custodians.
- The root cause of access was not disclosed, hindering full understanding of systemic failures.
## Recommendations
- Immediately review and minimize the retention of highly sensitive data elements such as SSNs, adhering to 'data minimization' principles.
- Implement enhanced security controls, particularly monitoring for large-scale data access or exfiltration attempts, given the profile of background check firms as high-value targets.
- Conduct comprehensive penetration testing and red team exercises focused on detecting extended dwell time and internal lateral movement.
- Review and streamline Incident Response (IR) plans to reduce detection-to-containment timelines dramatically.