Background check firm DISA Global Solutions has revealed it suffered a data breach exposing millions of sensitive records – nearly a year after the incident first occurred.
The breach, first discovered on April 22, 2024, had been allowing an unauthorized third-party to access data on around 3.3 million people since February 9th.
“Although our forensics investigation could not definitively conclude the specific information procured, the affected files contained individuals’ personal information, which came into our possession due to the employment screening services we provide employers and prospective employers,” said the firm.
“Presently, we are unaware of any attempted or actual misuse of any information involved in this incident.”
However, it said, it had not been able to definitively establish exactly what data had been accessed.
The company is contacting people whose personal information was accessed – personal information that may have included name, social security number, driver’s license number, other government ID numbers, financial account information, and other data.
It’s also offering those affected access to credit monitoring and identity restoration services through Experian.
“We take this incident seriously and sincerely regret any inconvenience this incident may cause affected individuals,” said DISA.
“Upon discovery, we secured our network, notified law enforcement authorities, safely restored our systems and operations, and implemented additional security measures. We also offer affected individuals access to credit monitoring and identity restoration services through Experian.”
DISA data breach a wake up call for background check firms
Background check companies are prime targets for cyber criminals because of their long-term storage of vast amounts of highly sensitive personal data – and this isn’t always as well protected as it should be, said Cory Michal, CSO at security company AppOmni.
“Unlike financial institutions, which must adhere to strict cybersecurity regulations, these companies often operate with less security budget and weaker security controls, making them more vulnerable to attacks,” he said.
“Additionally, many background check firms lack advanced monitoring and forensic capabilities, leading to prolonged undetected breaches, as seen in the DISA Global Solutions breach where attackers had access for over two months before detection.”
Michal said he’d like to see background check companies made subject to stricter cybersecurity laws and standards, similar to those imposed on institutions under HIPAA or PCI-DSS.
This would mandate encryption, continuous monitoring and breach detection measures.
“Additionally, they should face clear liability for data breaches, with financial penalties and mandatory compensation for affected individuals. Stronger data retention policies should also be enforced, preventing unnecessary long-term storage of sensitive information,” he said.
“Without robust federal regulations and industry-specific security mandates, these breaches will continue to expose millions to identity theft, fraud, and financial loss.”
The breach has already mobilized several US law firms to launch class action lawsuits.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
