DISA Global Solutions, a third-party employment screening and drug testing company that serves over 55,000 businesses, disclosed a massive data breach affecting more than 3.3 million individuals. What makes this breach especially alarming is both the sensitivity of the data involved — Social Security numbers, financial account information, and government IDs — and the fact that DISA waited 10 months to notify affected individuals. If you've ever undergone a background check or drug test through an employer that uses DISA, your data may be at risk.
What Happened?
DISA discovered on April 22, 2024, that an unauthorized third party had gained access to its network. The investigation revealed that the attacker had access to DISA's systems from February 9, 2024, through April 22, 2024 — a period of more than two months. During this time, the intruder was able to access and potentially exfiltrate sensitive personal information.
Despite discovering the breach in April 2024, DISA did not begin notifying affected individuals until February 21, 2025 — a delay of 305 days that has drawn significant criticism and prompted multiple class action lawsuits.
What Information Was Exposed?
The compromised data is exceptionally sensitive because of the nature of DISA's business — employment screening and drug testing. Exposed information may include:
- Full names
- Social Security numbers
- Driver's license numbers
- Other government-issued ID numbers
- Financial account information (bank accounts, credit card numbers)
- Employment screening results
- Drug test results and medical information
This is high-severity data exposure
The combination of SSNs, financial account numbers, and government IDs gives criminals everything they need for identity theft, bank fraud, and synthetic identity creation. The 10-month notification delay means attackers had a substantial head start.
Who Is Affected?
DISA provides background checks, drug testing, and employee screening services to more than 55,000 companies across multiple industries. You may be affected even if you've never heard of DISA — many employers outsource screening to DISA without informing the candidate which vendor they use. If you've undergone a pre-employment background check or workplace drug test in recent years, it's worth checking whether DISA was the provider.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
Start your free scanSteps to Take Right Now
1. Freeze Your Credit Immediately
Given that SSNs and financial account data were compromised, freezing your credit at all three bureaus should be your first step. This prevents criminals from opening new accounts in your name.
2. Monitor Your Bank and Financial Accounts
Because bank account and credit card information may have been exposed, review your financial statements carefully:
- Check all bank accounts for unauthorized transactions
- Review credit card statements for unfamiliar charges
- Set up transaction alerts on all financial accounts
- Contact your bank to discuss additional security measures such as new account numbers
3. Enroll in Free Credit Monitoring
DISA offered affected individuals access to credit monitoring and identity restoration services through Experian. If you received a notification letter, follow the enrollment instructions. Use every free monitoring resource available to you.
4. Place Fraud Alerts
Contact one of the three credit bureaus to place a fraud alert on your file. The bureau you contact is required to notify the other two. This adds a layer of verification before any new credit is issued in your name.
5. Check Your Background Check Reports
Since DISA handles employment screening data, consider also checking your background check reports for inaccuracies. You have the right to request a free copy of your background check report under the Fair Credit Reporting Act. Our guide on how to dispute errors on your background check walks through the process.
6. File an IRS Identity Protection PIN
With your SSN compromised, protect against fraudulent tax filings by obtaining an IP PIN from the IRS at irs.gov/ippin.
7. Watch for Phishing and Scams
Criminals armed with your employment and personal details may craft convincing scams. Be suspicious of:
- Emails or calls claiming to be from your employer about "updating" your information
- Messages referencing your workplace drug test or background check
- Texts from "banks" asking you to verify account activity
The Notification Delay Problem
DISA's 10-month delay between discovering the breach and notifying affected individuals gave attackers a significant head start. During those months, stolen data could have been sold on dark web marketplaces, used to open fraudulent accounts, or leveraged for targeted social engineering attacks — all while victims had no idea they were at risk.
This delay highlights why proactive privacy protection matters. Services that provide dark web monitoring can alert you when your information appears in underground marketplaces, often well before a company gets around to notifying you.
Legal Action
Multiple class action lawsuits have been filed against DISA Global Solutions, alleging negligence in protecting sensitive data and unreasonable delay in notifying affected individuals. If you received a breach notification, keep it — you may be eligible for compensation through a future settlement.
Protect Yourself With PrivacyOn
A breach like DISA's is a reminder that your most sensitive data is only as secure as the weakest link in a chain of third-party vendors. PrivacyOn helps you reduce your exposure by removing personal information from 100+ data brokers, monitoring the dark web for your compromised credentials, and alerting you 24/7 when new threats emerge. The less data about you that's available online, the harder it is for criminals to exploit what was stolen. Learn more about post-breach protection.