WEBINARSecure your AI agents in days, not weeks– Discover Polymer’s SecureRAG today!

Request a demo

Download our DLP for AI whitepaper

Polymer

Download free DLP for AI whitepaper

US employee screening company DISA suffers data breach impacting 3 million people

Mar 03, 2025

On Monday, February 24th, DISA Global Solutions submitted a filing with Maine’s attorney journal, stating it had suffered a wide-scale data breach. 

As background, DISA is a US-based company that provides employee screening services like drug and alcohol testing and background checks. It has over 55,000 customers, a third of which are Fortune 500 companies. 

Here’s everything we know about the breach so far.

Timeline of the DISA breach 

According to DISA’s filing, the company discovered malicious actors had infiltrated its network on April 22nd, 2024. The company doesn’t say how it discovered their presence, but it did note that they began their attack on February 9th, 2024. That’s a whole two and a half months earlier. 

DISA says that the data stolen during this period includes social security numbers, credit card numbers, and government-issued identification documents relating to over 3 million individuals. However, it also noted it “could not definitely conclude the specific data procured.”

This is undoubtedly troubling. While DISA isn’t saying it outright, their inability to understand exactly what data was stolen indicates a lack of technical controls—no data loss prevention or logs, which is surprising for a company that handles such sensitive information.

Fallout of the breach 

In its filing, DISA went onto state that it had contacted impacted customers shortly after discovering the breach, offering then 12 months of credit monitoring and identity theft protection services to prevent their data being used maliciously.

However, given the types of data that have been stolen in this incident, its questionable whether these protections will be enough. After all, as a background screening company, DISA has access to in-depth data about individuals. With data like work history, educational background and credit history, cyber-criminals could create highly-convincing phishing scams that go undetected. 

Moreover, DISA’s failure to discover the breach quickly—combined with the fact it looks like it didn’t have enough technical controls in place—has caught the eyes of law firms across the country. Multiple firms have posted call outs asking potential claimants to come forward, expressing that DISA will likely be found ”negligent” with regards to how it safeguards clients’ personal information. 

Lessons learned 

The DISA breach highlights the importance of taking a data-centric approach to safeguarding personally identifiable information. Organizations must classify, monitor and protect sensitive information 24/7—wherever it moves and wherever it resides. 

While this might sound like a tall order, with data exposure prevention tools, the process becomes seamless. Solutions like PolymerHQ, for example, use AI to automatically discover sensitive data in cloud applications, classify it in line with internal policies and compliance mandates, and then control data access based on the risk and context of the interaction.

With this kind of tool in place, DISA would have discovered the presence of malicious actors on its system immediately. They wouldn’t have been able to access any sensitive information, and DISA would’ve been able to prevent the trouble it currently finds itself in. 

See how PolymerHQ can protect your data. Request a demo now. 

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.