US-based employee screening services provider DISA Global Solutions said it was breached by hackers, putting the personally identifiable information of 3.3 million people at risk.

While DISA informed Maine’s attorney general of the data breach yesterday (thanks, TechCrunch) and reported the hack to Massachusetts’s Office of Consumer Affairs and Business Regulation earlier on February 22, the attack began over a year ago, on February 9, 2024. The unidentified hacker accessed DISA’s network for two months before the company noticed on April 22, 2024. However, there’s allegedly “no evidence of actual or attempted misuse” of personal information.

In a sample notification letter sent to those affected by the hack, DISA claimed it “could not definitively conclude the specific data procured” even after an investigation with third-party assistance. However, the Massachusetts filing listed what the attackers accessed: Social Security numbers, financial accounts, driver’s licenses and credit and debit numbers. DISA didn’t share other details on the attack.

DISA serves over 55,000 customers, including 30 percent of Fortune 500 companies. The company offers drug, alcohol and background checks. This allows it to collect sensitive information, making it a prime target for cybercriminals.

It’s unknown why DISA took almost a year to notify anyone, especially when employee screening is a highly sensitive industry. Those affected can enroll for 12 months of credit monitoring and identity restoration services, a common act of apology companies often take after a cybersecurity incident.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/us-employee-screening-firm-disa-hit-with-data-breach-affecting-over-33-million-people-145658681.html?src=rss

This post was originally published on this site