Article Details

US drug testing firm DISA says data breach impacts 3.3 million people. DISA Global Solutions, a leading US background screening and drug and alcohol testing firm, has suffered a data breach impacting 3.3 million people. In January, the company first disclosed a cybersecurity incident that occurred between February 9, 2024, and April 22, 2024, the day it discovered the breach. In an update earlier this month, DISA revealed that the threat actors might have accessed sensitive data stored in its systems, but there was no evidence of further dissemination or misuse. Today, the company confirmed that after further investigation, it was determined that the sensitive data of 3,332,750 million people had been exposed in the cyberattack. DISA has over 55,000 customers across a broad range of industries, with 30% of Fortune 500 companies relying on the firm's services. That said, the data breach could have far-reaching consequences nationwide. "We are writing to inform you about an incident experienced by DISA that may have involved some of your personal information, which came into our possession due to the employee screening services you may have completed with your current or former employer or a prospective employer," reads the notification sent to impacted individuals. DISA did not disclose what types of information were exposed to the unauthorized party in the sample letter it shared with the authorities. However, in a notice published on its website, it lists the following: What the 'other data elements' consist of is unclear, but due to the type of services it offers, DISA generally handles personally identifiable information, contact details, employment and education history, criminal and background checks, drug and alcohol testing data, medical and health-related data, and more. While DISA has not shared what type of cyberattack they experienced, a now-deleted notice indicates that they paid a ransom demand to prevent the stolen data from being publicly released. "DISA data has not been found on the dark web. DISA indicated it 'took measures to dissuade the threat actor from publicly releasing any acquired data and to provide confirmation of the deletion of the data'," reads a copy of the now-deleted notice. To protect impacted people from the risks arising from the data exposure, DISA offers 12 months of free credit monitoring and identity theft protection service through Experian. It is also recommended that potentially impacted individuals consider placing fraud alerts and security freezes on their accounts as a precaution.