Skip links

Dish confirms 300,000 people’s data was exposed in February’s attack

Dish Network has admitted that a February cybersecurity incident and associated multi-day outage led to the extraction of data on nearly 300,000 people, while also appearing to indirectly admit it may have paid cybercriminals to delete said data.

Dish customers can rest easy, at the very least, as the company said in a sample letter posted to the Maine Attorney General’s breach notification website that customer databases weren’t accessed and the stolen data belonged instead to employees both past and present, their family members, “and a limited number of other individuals” that Dish didn’t specify.

The satellite TV company also didn’t say what sorts of personal information was stolen from 296,851 employees in the attack, aside from driver’s license and non-driver ID card numbers. 

Dish has been generally quiet about the attack since late February, when it admitted there was an incident, filed a form with the Securities and Exchange Commission to notify it of the breach, and admitted that some internal data had been stolen without confirming what it was or from where.

Dish never went on the record to publicly state the attack was caused by ransomware, though internal sources who contacted The Register, did report that ransomware was involved. Dish also made mention of ransomware in its SEC filing.

Reports from February citing internal Dish sources claim the Black Basta ransomware gang was behind the break-in at Dish, and in its template letter [PDF] notifying affected individuals of the incident, the company sought to reassure recipients that there’s no evidence the extracted data has been misused, and that it believes the data has been deleted.

Er, who confirmed that again?

“We have received confirmation that the extracted data has been deleted,” Dish said, adding that it has been monitoring the dark web and criminal forums for signs the data is available online. “The results of the monitoring are consistent with the confirmation that the extracted data has been deleted,” it added. 

That, as Emsisoft security analyst Brett Callow has pointed out, could be interpreted as an admission that Dish paid whatever ransom was demanded of it because “totally untrustworthy cybercriminals assured us the data would be deleted if we paid the ransom,” Callow tweeted

As numerous security researchers and publications have pointed out since ransomware became the hot thing in cybercrime, there is absolutely no reason to believe that a threat actor will follow through on its claims not to retain or eventually leak data. 

Dish said it is offering two free years of single-bureau credit monitoring to those impacted, but with an enrollment deadline of August 31.

We still have a lot of questions for Dish, which hasn’t responded to us, and will update this story if we hear back. ®