Nearly 300,000 people affected by data breach in DISH ransomware attack
A February ransomware attack against satellite broadcast giant DISH leaked the personal information of nearly 300,000 people, according to regulatory filings made by the company last week.
DISH confirmed that it was hit with ransomware after it suffered widespread outages. The attack affected DISH’s internal communications, customer call centers, and websites.
The company told regulators in Maine last week that 296,851 people had data affected by the incident, and in breach notification letters sent out on May 18 they confirmed that personal data was involved, including driver’s license numbers.
The letters confirm that the network outage began on February 23 and affected the company’s internal servers and IT systems. They shut down their internal network, hired cybersecurity experts and notified law enforcement once they realized the severity of the situation.
“We have since determined that our customer databases were not accessed in this incident. However, we have confirmed that certain employee-related records and personal information (along with information of some former employees, family members and a limited number of other individuals) were among the data extracted,” they said.
“The process of locating personal information in the extracted dataset and matching that information to individuals so that we could notify them was complex and time-consuming. This work was substantially completed on May 8, 2023. We then began notifying the list of persons whose personal information is confirmed to have been included.”
The letters do not say what information was stolen but the regulatory filing with Maine says driver’s license numbers were included in the breach.
The letter says twice that DISH has “received confirmation that the extracted data has been deleted” – which several cybersecurity experts interpreted as a tacit acknowledgement to a ransom having been paid.
“We are conducting online monitoring and dark web scanning, and we have no evidence the extracted data has been misused. The results of the monitoring are consistent with the confirmation that the extracted data has been deleted,” the letter said. “In particular, the monitoring has not revealed any evidence that your personal information has been published, traded, sold, or otherwise misused.”
For years, cybersecurity experts have repeatedly warned that these kinds of assurances of data deletion from ransomware gangs are flimsy at best and outright lies at worst.
DISH is offering those affected by the data breach two years of free credit monitoring services.
The company is now facing a class action lawsuit related to their handling of the incident and the statements made about the situation when it was first revealed.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.