In a stunning revelation today, DISA Global Solutions, a major U.S. firm specializing in drug screening and employee background checks, disclosed a data breach that compromised the personal information of over 3.3 million individuals. The breach, which began over a year ago on February 9, 2024, and was discovered on April 22, 2024, wasn’t publicly announced until now—raising eyebrows and questions about transparency and accountability in an industry entrusted with highly sensitive data.
DISA, a Houston-based company serving over 55,000 clients—including 30% of Fortune 500 companies—confirmed that hackers accessed a “limited portion” of its network for over two months undetected. The stolen data includes heavy hitters like Social Security numbers, financial account details, credit card numbers, and government-issued IDs. For the 3,332,750 affected individuals, including over 360,000 Massachusetts residents, this exposure could spell identity theft or financial fraud risks. Yet, in notification letters, DISA admitted it couldn’t “definitively conclude” what specific data was taken, leaving many in the dark about the full extent of their vulnerability.
The delay in disclosure is the real head-scratcher here. Massachusetts law mandates breach notifications within 90 days of discovery, meaning DISA should have alerted affected parties by late July 2024. Instead, it took until February 25, 2025—10 months later—for the company to come clean. Why the holdup? Some speculate an extended investigation or negotiations with threat actors, as earlier reports hinted DISA may have paid a ransom to prevent data leaks on the dark web. The company’s latest statements omit any mention of such actions, leaving that thread dangling.
DISA’s response includes offering 12 to 24 months of free credit monitoring through Experian, depending on the source, with an enrollment deadline of June 30, 2025. It’s a standard move, but for those affected, it might feel like a Band-Aid on a gaping wound. With no evidence of misuse reported yet, DISA urges vigilance—check your credit reports, set fraud alerts, and maybe pray your data isn’t already circulating among cybercriminals.
This breach isn’t just a blip; it’s a spotlight on the risks of third-party screening firms holding troves of personal data. Cybersecurity experts point out that such companies are prime targets, often lacking the forensic tools to catch breaches fast. DISA’s two-month lag before detection proves the point. For employees and job applicants screened by DISA, this could mean their personal details are now ammunition for phishing, fraud, or worse—synthetic identity theft, where hackers blend real and fake data for profit.
The fallout? Two class-action lawsuits filed today in Texas federal court allege DISA neglected its duty to safeguard data and notify victims promptly. Legal experts suggest Massachusetts regulators might also step in, given the state’s strict breach laws. For now, DISA’s 3.3 million victims are left to pick up the pieces—wondering why it took a year to hear the bad news.
If you’ve been screened by DISA, now’s the time to act. Check your notice, enroll in that credit monitoring, and keep an eye on your accounts. In an age where data is gold, this breach is a stark reminder: even the gatekeepers can falter.