DISA Global Solutions, a Houston-based provider of employee background checks and workplace safety services, disclosed a significant cybersecurity incident exposing the personal information of over 3.3 million individuals, including 15,198 Maine residents.
The breach occurred on February 9, 2024, but was not detected until April 22, 2024, according to a data breach notification filed with the Maine Attorney General’s office.
The compromised data includes names combined with other personal identifiers, heightening risks of identity theft and financial fraud.
Breach Timeline and Attack Methodology
The breach resulted from an external system breach (hacking) targeting DISA’s infrastructure.
Hackers infiltrated systems containing sensitive employee screening records, which often include Social Security numbers, employment histories, and criminal background data. However, the notification did not specify the exact data elements compromised.
The 76-day gap between the intrusion’s occurrence and discovery highlights potential vulnerabilities in DISA’s network monitoring protocols.
Cybersecurity experts emphasize that such delays are critical, as attackers often use this time to exfiltrate data or establish persistent access.
DISA’s role as a third-party screener for employers amplifies the breach’s gravity. The company serves industries ranging from healthcare to transportation, meaning affected individuals could include employees at sensitive organizations.
The lack of clarity on whether financial or biometric data was accessed remains a concern for privacy advocates.
Notification Protocol and Remediation Efforts
Affected individuals began receiving written notifications on February 21, 2024—12 days after the breach—though DISA has not explained why consumer alerts preceded the breach’s discovery date.
The company partnered with Experian to offer 12 months of complimentary credit monitoring and identity theft protection.
However, the notification letter did not confirm whether DISA has implemented enhanced encryption or multi-factor authentication post-breach.
Legal representatives from Holland & Knight LLP, DISA’s counsel, stated the firm is cooperating with federal investigators and cybersecurity consultants.
“DISA has taken steps to secure its systems and prevent future incidents,” said Shardul Desai, partner at Holland & Knight. No evidence of data misuse has been identified to date.
With over 3.3 million impacted individuals, this breach ranks among the largest of 2024 and could trigger investigations under the FTC’s Safeguards Rule and state privacy laws.
Maine residents—the only explicitly noted subgroup—are entitled to additional protections under the state’s stringent data privacy laws.
DISA’s Houston headquarters (11740 Katy Freeway, Suite 900) and corporate parent companies may face litigation, particularly if plaintiffs demonstrate negligence in safeguarding data.
Cybersecurity analysts criticize DISA’s breach description as overly vague, arguing that transparency about attack vectors (e.g., ransomware, phishing) is crucial for public trust.
The incident underscores risks inherent in centralized repositories of employee data, prompting calls for decentralized verification systems using blockchain or zero-knowledge proofs.
Recommendations for Affected Individuals
Those impacted should:
- Enroll in Experian’s monitoring service using the provided activation code
- Place fraud alerts with all three credit bureaus
- Review employment records for unauthorized disclosures
- Monitor bank and insurance statements for suspicious activity
DISA has established a dedicated call center for inquiries, though the notification did not specify its hours or international accessibility.
As background check firms increasingly digitize records, this breach serves as a cautionary tale for the $4 billion employee screening industry.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
