Description

DISA Global Solutions provides comprehensive background checks and drug testing services that help employers maintain workplace safety, ensure regulatory compliance, and manage risk through pre-employment screening programs and ongoing workforce monitoring solutions. On April 22, 2024, DISA detected a cyber incident within its network. They launched an immediate probe that determined that an unauthorized actor had gained access between February 9, 2024, and April 22, 2024, giving the attackers access to certain files containing personal information (PI), some 3.3 million individuals. The information included their names, Social Security numbers (SSNs), driver’s license numbers, and financial account information. The company sent a letter to all potential victims and reported the data breach to relevant regulatory and law enforcement authorities. It is believed that the company paid a ransom to have the data deleted, and the company says they have no evidence that the compromised data was ever used.

 

Basis of the Case

Two class action lawsuits were filed against the company in March of 2025. The plaintiffs state that they provided their personal information to DISA as part of a job application or to obtain employment-related benefits and that an implicit agreement to secure their data existed. Other allegations of the suits include:

  • Plaintiffs claim that DISA failed to implement reasonable and adequate data-security practices and failed to invest sufficiently in security measures, which made the breach possible.
  • There was a lack of least-privilege access principles, which could have limited the scope of the breach.
  • The company failed to monitor suspicious or irregular server requests.
  • The breach occurred between February and April 2024, but notifications were not sent until February 2025, and this delay heighted the risk of their compromised data.

 

Call to Action

The suits specifically mention a lack of adherence to the principle of least privilege (PoLP). Enforcing least privilege access involves implementing several key strategies to ensure that users and systems have only the necessary permissions to perform their tasks. These include measures such as:

  • Role-Based Access Control (RBAC) which assigns specific network permissions based on a user’s defined role within the organization, ensuring users only have access to data and systems necessary for their job functions.
  • Just-in-Time (JIT) access that grants elevated privileges only when needed and for a limited time. Revoke access once the task is completed.
  • Conduct regular audits of network privileges to prevent privilege creep and ensure that access rights are aligned with current job requirements.
  • Enforce multifactor authentication (MFA) for all access to sensitive systems to add an extra layer of security.
  • Segment networks to limit the spread of unauthorized access if a breach occurs.

 

Organizations should adopt security approaches based on the premise that a security breach is inevitable and data compromise highly probable. By implementing data-at-rest encryption, companies ensure that even when unauthorized parties gain access, the information remains indecipherable without the proper decryption keys. This protective measure is not only a security best practice but also a specific requirement under regulatory frameworks like PCI DSS for safeguarding sensitive information.

 

READ MORE HALOCK BREACH BULLETINS