US employee screening giant DISA says hackers accessed data of more than 3M people

DISA Global Solutions, a U.S.-based provider of employee screening services, has said it suffered a data breach that affects more than 3.3 million people.

DISA, which provides services like drug and alcohol testing and background checks to more than 55,000 enterprises and a third of Fortune 500 companies, confirmed the data breach in a filing with Maine’s attorney general on Monday. 

DISA said it discovered it had been the victim of a “cyber incident” that affected a “limited portion” of its network on April 22, 2024. An internal investigation determined that a hacker had infiltrated the company’s network on February 9, 2024, where they went unnoticed for over two months.

In a letter sent to those affected by the data breach, which includes individuals who underwent employee screening tests, DISA said the attacker “procured some information” from its systems.

In a separate filing with the Massachusetts attorney general, DISA confirmed the stolen information included individuals’ Social Security numbers, financial account information including credit card numbers, and government-issued identification documents. This filing confirmed that more than 360,000 Massachusetts residents were affected by the breach. 

However, in its data breach notification letter, DISA said it “could not definitively conclude the specific data procured,” suggesting the company does not have the technical means, such as logs, to detect exactly what internal data was accessed or exfiltrated.

According to its website, DISA collects a wide range of personal and sensitive information, including details about an applicant’s work history, educational background, criminal records, and credit history. 

It’s not yet known who was behind the cyberattack or how the organization was compromised. It’s also unclear why it has taken DISA so long to notify affected individuals about the breach.

DISA did not immediately respond to TechCrunch’s questions.