A major data breach has been reported by DISA Global Solutions, a US-based provider of employee screening services, affecting a staggering 3.3 million people. The company, which offers services like drug and alcohol testing and background checks to over 55,000 enterprises, including a third of Fortune 500 companies, confirmed the breach in a filing with Maine's attorney general on Monday.

According to DISA, the company discovered the "cyber incident" on April 22, 2024, which impacted a "limited portion" of its network. However, an internal investigation revealed that a hacker had infiltrated the company's network on February 9, 2024, and went unnoticed for over two months. The breach is a significant concern, given the sensitive nature of the information handled by DISA, which includes personal and employment-related data.

In a letter sent to those affected by the breach, DISA disclosed that the attacker "procured some information" from its systems. While the company did not specify the exact data stolen, a separate filing with the Massachusetts attorney general confirmed that the breach exposed individuals' Social Security numbers, financial account information, including credit card numbers, and government-issued identification documents. The filing also revealed that more than 360,000 Massachusetts residents were affected by the breach.

Notably, DISA's data breach notification letter stated that the company "could not definitively conclude the specific data procured," suggesting that it lacks the technical means to detect what internal data was accessed or exfiltrated. This raises concerns about the company's ability to protect sensitive information and respond to cybersecurity incidents.

DISA's website reveals that the company collects a wide range of personal and sensitive information, including details about an applicant's work history, educational background, criminal records, and credit history. The breach is a stark reminder of the importance of robust cybersecurity measures and transparency in the handling of sensitive data.

The incident has sparked questions about the identity of the attackers and how the organization was compromised. Additionally, it is unclear why it has taken DISA so long to notify affected individuals about the breach. DISA did not immediately respond to questions from TechCrunch.

The breach is a significant concern for individuals who have undergone employee screening tests with DISA, as well as the companies that rely on its services. As the investigation continues, it is essential for DISA to provide clear guidance on the steps it is taking to prevent future breaches and protect the sensitive information in its care.

The incident serves as a stark reminder of the importance of robust cybersecurity measures and transparency in the handling of sensitive data. As the digital landscape continues to evolve, companies must prioritize the protection of personal data and be prepared to respond swiftly and transparently in the event of a breach.