DISA Breach Highlights Need for Stronger Oversight: AppOmni CSO
The data breach of employee screening services provider DISA Global Solutions highlights the need for stronger security requirements and regulatory oversight for such companies that handle huge amounts of sensitive personal information but often operate under laws that are weaker than those for financial services institutions and health care organizations.
DISA this month confirmed the data breach, which occurred a year ago and exposed the data of more than 3.3 million people. A notification was filed with the Maine State Attorney General’s office that included a sample notification notice that was being sent to individuals whose data may have been compromised.
The Houston, Texas-based company in the sample notification wrote that files breached included their names “and the following: [data elements].” In a notice on its website, the organization also wrote that investigators “could not definitively conclude the specific data procured.”
DISA officials wrote that an unknown hacker accessed “a limited portion” of the company’s network starting February 9, 2024; the breach was discovered by DISA April 22, 2024.
Data Exposed Includes SSNs, Financial Details
However, in an email, Cory Michal, chief security officer at security company AppOmni, wrote the data exposed included Social Security numbers, financial account details, government-issued IDs, and “other personal identifiers, making it highly valuable for cybercriminals.”
“Attackers can use this data for identity theft, creating fraudulent accounts, applying for loans or credit cards, committing unemployment insurance fraud and committing tax fraud,” Michal wrote. “Synthetic identity fraud is another major risk, where criminals combine stolen data with fake information to build new identities for financial crimes.”
Then there are other nefarious uses of the data, including phishing and other social-engineering attacks, corporate espionage or insider threats – with hackers impersonating employees or getting unauthorized access to company systems through stolen employment history and background check details – and blackmail or privacy violations through exposed medical screening or drug testing data, he wrote.
Given the amount and sensitivity of data they collect, handle, and store, DISA and similar companies should be regulated by laws like HIPAA and PCI-DSS, he wrote.
National Public Data Breach Makes the Case
Michal pointed to the DISA incident and the attack early last year on data broker National Public Data – which exposed 2.9 billion files and led to multiple lawsuits, the company filing for Chapter 11 bankruptcy, and then shutting down in December 2024 – as examples why such firms need stronger regulation and oversight.
“These companies often operate with less security budget and weaker security controls, making them more vulnerable to attacks,” he wrote. “Their extensive data retention practices further increase the risk, as personal information remains stored for years, providing cybercriminals with a one-stop shop for identity theft, fraud, and social engineering attacks.”
Michal added that “many background check firms lack advanced monitoring and forensic capabilities, leading to prolonged undetected breaches.”
This means breaches like that against DISA take longer to detect. The hackers were in its systems for two months before being detected.
The company administers employment screening services that include drug and alcohol testing and background checks, saying on its website that it has more than 55,000 customers, which includes 30% of Fortune 500 firms.
Holding Onto Details
When the hack was detected, the company secured the environment, notified law enforcement authorities, restored the affected system, and implemented more security measures, the company said in the letter. The letter doesn’t detail the type of attack, though the circumstances make it sound like ransomware.
DISA is offering free credit monitoring and identity restoration services via Experian to those notified who sign up by June 30.
AppOmni’s Michal said more should be expected of such companies as DISA and National Public Data.
“They should face clear liability for data breaches, with financial penalties and mandatory compensation for affected individuals,” he wrote. “Stronger data retention policies should also be enforced, preventing unnecessary long-term storage of sensitive information. Without robust federal regulations and industry-specific security mandates, these breaches will continue to expose millions to identity theft, fraud, and financial loss.”
