Full Report
The Texas-based company said hackers accessed applicants’ SSNs and financial information © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: DISA Global Solutions Data Breach Affecting 3.3 Million Individuals
## Executive Summary
DISA Global Solutions, a U.S. provider of employee screening services, suffered a network intrusion beginning in February 2024, which was discovered in April 2024. Attackers accessed and potentially exfiltrated sensitive data, including Social Security numbers, financial account details, and government IDs, impacting over 3.3 million individuals. DISA’s initial investigation suggests a significant data compromise, though the precise scope remains unclear due to limitations in their logging capabilities.
## Incident Details
- **Discovery Date:** April 22, 2024
- **Incident Date (Infiltration Start):** February 9, 2024
- **Affected Organization:** DISA Global Solutions
- **Sector:** Employee Screening Services (Background Checks, Drug & Alcohol Testing)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** February 9, 2024
- **Vector:** Cyber incident indicating external unauthorized infiltration into a limited portion of the network.
- **Details:** The attacker gained an initial foothold and remained undetected for over two months within the environment.
### Lateral Movement
- **Date/Time:** Between February 9, 2024, and April 22, 2024 (Unspecified duration)
- **Vector:** Unknown, but assumed successful based on subsequent data access.
- **Details:** The threat actor moved across the network, accessing systems containing screening data.
### Data Exfiltration/Impact
- **Date/Time:** Within the infiltration window (Feb 9 – Apr 22, 2024)
- **Vector:** Unauthorized data procurement/exfiltration.
- **Details:** Information procured included Social Security numbers, credit card numbers, financial account information, and government-issued identification documents for a portion of the affected population.
### Detection & Response
- **Date/Time (Detection):** April 22, 2024
- **Detection Method:** Discovery of a "cyber incident."
- **Response Actions Taken:** Launched an internal investigation; notified affected parties via breach notification letters; filed reports with State Attorneys General (Maine and Massachusetts).
## Attack Methodology
- **Initial Access:** Unspecified external intrusion method (implied compromise of a network segment).
- **Persistence:** Maintained access for over two months (February 9 to April 22, 2024) without detection.
- **Privilege Escalation:** Not specified, but necessary to access sensitive data repositories.
- **Defense Evasion:** Successfully evaded detection for over 60 days.
- **Credential Access:** Implied use of compromised credentials or exploitation to access records.
- **Discovery:** Attacker likely performed internal reconnaissance to locate sensitive PII/financial data pertaining to screened individuals.
- **Lateral Movement:** Unspecified, but achieved access to data repositories containing the compromised information.
- **Collection:** Gathered PII, financial data, and government ID information.
- **Exfiltration:** Procured the collected information for transfer out of the network.
- **Impact:** Theft of highly sensitive personal and financial data affecting millions of subjects.
## Impact Assessment
- **Financial:** Not specified publicly, but potentially high due to remediation costs and mandatory identity protection services for victims.
- **Data Breach:** Data of **3.3 million** people accessed or procured. Specific stolen data types include: Social Security Numbers (SSNs), credit card numbers, financial account information, and government-issued identification documents.
- **Operational:** Immediate operational impact due to incident response activation and notification requirements.
- **Reputational:** Significant damage to DISA's reputation as a trusted provider of background screening for major enterprises, including a third of the Fortune 500.
## Indicators of Compromise
*Due to the nature of the source material, specific IoCs are not provided and cannot be fabricated. Reporting capabilities suggest logs may be insufficient.*
- **Network Indicators:** Not disclosed (Defanged: N/A)
- **File Indicators:** Not disclosed (Defanged: N/A)
- **Behavioral Indicators:** Long-term unauthorized network presence (two+ months).
## Response Actions
- **Containment:** Initiated containment measures upon discovery on April 22, 2024, isolating and neutralizing the impacted "limited portion" of the network.
- **Eradication:** Unspecified remediation actions taken to remove the threat actor's access.
- **Recovery:** Began notifying affected individuals and regulatory bodies (Maine, Massachusetts AGs). Offered services to those impacted (implied, as is standard procedure).
## Lessons Learned
- **Visibility Gap:** DISA stated they "could not definitively conclude the specific data procured," indicating a severe lack of sufficient logging or monitoring visibility to track lateral movement and confirmation of data exfiltration.
- **Detection Time:** The threat actor operated within the network for over two months (52 days) undetected, suggesting controls failed to identify anomalous activity or persistence mechanisms.
## Recommendations
- **Enhance Logging and Monitoring:** Immediately implement comprehensive logging across all critical network segments and endpoints, specifically retaining adequate forensic artifacts to confirm data access and exfiltration flows.
- **Improve Threat Detection Capabilities:** Review and enhance threat hunting procedures to actively search for long-term low-and-slow intrusions, rather than relying solely on alert-based detection.
- **Data Access Auditing:** Implement stringent auditing of access attempts to repositories containing SSNs, financial data, and government IDs.