Full Report
DISA Global Solutions, a leading US background screening and drug and alcohol testing firm, has suffered a data breach impacting 3.3 million people. [...]
Analysis Summary
# Incident Report: DISA Drug Testing Firm Data Breach
## Executive Summary
US drug testing firm DISA experienced a major data breach impacting approximately 3.3 million individuals whose personal screening information was compromised. While the specific attack vector was not disclosed, the breach appears to have involved the theft of sensitive PII, including SSNs and financial account details. DISA responded by engaging in measures to dissuade the threat actor and paying a ransom to secure confirmation of data deletion, followed by offering 12 months of free credit monitoring to affected parties.
## Incident Details
- **Discovery Date:** Not explicitly provided in detail, but the incident was publicly reported upon notification phase.
- **Incident Date:** Not explicitly provided.
- **Affected Organization:** DISA (Drug Testing Firm)
- **Sector:** Drug Testing / Employee Screening Services (Broadly, Healthcare/Corporate Services)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Not disclosed by the organization.
- **Details:** Attackers gained unauthorized access to systems holding employee screening data.
### Lateral Movement
- Details **NOT** provided in the source material.
### Data Exfiltration/Impact
- Sensitive Personal Identifiable Information (PII) belonging to approximately 3.3 million individuals was stolen.
- Data potentially included: Full name, Social Security number (SSN), Driver's license number, Government ID number, Financial account information, and additional sensitive employment/background check data.
### Detection & Response
- **How it was discovered:** Not explicitly stated, but the organization issued notifications to impacted individuals and authorities as part of the response.
- **Response actions taken:** DISA negotiated with the threat actor, paid a ransom demand to prevent data release, and received confirmation of data deletion. They are offering 12 months of free credit monitoring and identity theft protection via Experian to affected individuals.
## Attack Methodology
- **Initial Access:** Unknown (Not disclosed).
- **Persistence:** Unknown (Not disclosed).
- **Privilege Escalation:** Unknown (Not disclosed).
- **Defense Evasion:** Unknown (Not disclosed).
- **Credential Access:** Implied access to records containing PII, SSNs, and financial data.
- **Discovery:** Unknown (Likely internal network/database reconnaissance once access was established).
- **Lateral Movement:** Unknown (Not disclosed).
- **Collection:** Targeted collection of PII and sensitive background check results associated with employees/applicants.
- **Exfiltration:** Data was successfully exfiltrated to the threat actor.
- **Impact:** Financial and privacy risk exposure for millions of individuals.
## Impact Assessment
- **Financial:** Costs related to remediation, notification, offering credit monitoring services, and potential regulatory fines (not quantified). Ransom payment made to threat actor.
- **Data Breach:** Exposure of PII for approximately **3.3 million people**, including SSNs, financial account information, and sensitive employment screening data.
- **Operational:** No specific operational downtime mentioned, but the incident required significant internal resource allocation for investigation and remediation.
- **Reputational:** Significant impact due to the sensitive nature of the data handled (drug testing, background checks) and the large number of affected individuals (including clients who are 30% of Fortune 500 companies).
## Indicators of Compromise
- **Network indicators - defanged:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Threat actor forced payment of a ransom to secure data deletion confirmation.
## Response Actions
- **Containment:** Measures taken to "dissuade the threat actor from publicly releasing any acquired data."
- **Eradication:** Not detailed, but implied system security improvements post-breach.
- **Recovery actions:** Provision of 12 months of free credit monitoring and identity theft protection services through Experian for impacted individuals.
## Lessons Learned
- **Key takeaways:** Large third-party vendors entrusted with highly sensitive PII (including driver's licenses and SSNs) represent significant points of failure for downstream clients. Ransom negotiation and payment occurred in an attempt to mitigate public exposure.
- **What could have been done better:** Failure to prevent the unauthorized access and exfiltration of 3.3 million records containing deep PII. Better preventative controls or detection mechanisms were needed.
## Recommendations
- Implement robust segmentation and access controls around databases containing highly sensitive PII (SSNs, financial data).
- Enhance monitoring for anomalous large-scale data extraction activities.
- Review third-party vendor risk management processes to ensure suppliers like DISA meet stringent security standards, especially concerning highly regulated data types.
- Advise all potentially impacted individuals to place immediate fraud alerts and security freezes on their credit files.