Full Report
DISA Global Solutions, a leading US background screening and drug and alcohol testing firm, has suffered a data breach impacting 3.3 million people. [...]
Analysis Summary
# Incident Report: DISA Global Data Breach Affecting 3.3 Million Individuals
## Executive Summary
A significant data breach occurred at DISA Global Solutions, a US drug testing and employee screening firm, exposing the personal information of approximately 3.3 million individuals. The incident involved the exfiltration of highly sensitive data, including Social Security numbers and financial account information. Response actions included negotiating with the threat actor, paying a ransom to prevent public release, and offering complimentary credit monitoring services to affected parties.
## Incident Details
- **Discovery Date:** Not explicitly stated, but notification letters were sent around February 2025 (implied by shared documents).
- **Incident Date:** Not explicitly stated.
- **Affected Organization:** DISA Global Solutions.
- **Sector:** Drug Testing/Employee Screening Services (Security/HR Tech).
- **Geography:** United States (Implied by customer base and regulatory filings).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Unknown (No specific attack vector disclosed by DISA).
- **Details:** Threat actors gained unauthorized access to DISA systems.
### Lateral Movement
- **Details:** Unknown. The focus of the available information is on data exfiltration.
### Data Exfiltration/Impact
- **Details:** Attackers stole personal information belonging to roughly 3.3 million individuals who had undergone employee screening services. Sensitive records were compromised.
### Detection & Response
- **How it was discovered:** Not specified in detail, but the organization became aware of the compromise and began internal review and notification procedures.
- **Response actions taken:** DISA engaged with the threat actor, paid a ransom demand to dissuade them from publicly releasing the data, and confirmed the actor asserted the data was deleted. Affected individuals were notified and offered 12 months of free credit monitoring via Experian.
## Attack Methodology
- **Initial Access:** Not disclosed.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Not disclosed.
- **Collection:** Unauthorized access and collection of PII, financial data, and screening records.
- **Exfiltration:** Data was successfully exfiltrated from DISA's environment.
- **Impact:** Ransom negotiation and payment occurred to prevent public exposure of the exfiltrated data.
## Impact Assessment
- **Financial:** Implied costs related to remediation, investigation, and the ransom payment (if applicable). **Note:** Ransom payment confirmed but amount undisclosed.
- **Data Breach:** Impacted 3.3 million individuals. Data exposed included: Full name, Social Security number, Driver's license number, Government ID number, Financial account information, and other PII/health/background check data.
- **Operational:** No details on operational disruption provided, but incident required immediate notification and response efforts.
- **Reputational:** Significant reputational damage as a firm handling sensitive background/drug screening data for 30% of Fortune 500 companies.
## Indicators of Compromise
- **Network indicators - defanged:** None provided in the source material.
- **File indicators:** None provided in the source material.
- **Behavioral indicators:** Data exfiltration and subsequent ransom negotiation/payment attempt.
## Response Actions
- **Containment measures:** Measures taken to halt the unauthorized access (not specified).
- **Eradication steps:** Steps taken to remove the threat actor from the environment (not specified).
- **Recovery actions:** Provision of 12 months of free credit monitoring and identity theft protection through Experian for all impacted individuals. Direct notification to affected parties.
## Lessons Learned
- The organization’s reliance on third-party screening data created a high-value target for threat actors.
- Successful data exfiltration indicates potential vulnerabilities in network segmentation or access controls related to sensitive stored data.
- The decision was made to pay a ransom to prevent data release, which suggests a high perceived risk of public exposure.
## Recommendations
- Conduct a thorough forensic investigation to determine the exact initial access vector and extent of lateral movement.
- Review and significantly enhance data encryption protocols, especially for PII, SSNs, and financial data, particularly in storage environments.
- Re-evaluate vendor risk management processes, as this breach originated within a critical service provider.
- Implement multi-factor authentication across all sensitive administrative access points.