Dish says cyberattack affected nearly 300,000 people

Dish Network last week revealed that nearly 300,000 people were affected by the cyberattack that it discovered in February.

In a data breach notification filed with the state of Maine, Dish said its customer databases were not accessed in the incident, but certain employee-related records and personal information, along with information of some former employees, family members and a limited number of other individuals, were impacted.

Dish employs about 16,000 people and the data breach form says 296,851 people were affected, so it’s unclear how the math adds up or how far back the data breach went. Fierce reached out to Dish for clarification but Dish declined to answer any questions. 

In a May 8 SEC filing, Dish said it incurred about $30 million in expenses related to the security breach. Dish said it does not expect to incur material expenses in future periods resulting from the cyber security incident.

A February 28 SEC filing referred to it as a “ransomware attack,” but Dish has not explicitly said whether it paid a ransom in the attack.

A BleepingComputer report from February cited sources saying the Black Basta ransomware operation was behind the attack, first attacking Boost Mobile and then the Dish corporate network. But a report last week said no concrete evidence had emerged to confirm the Black Basta attribution.

During Dish’s Q1 earnings call, executives said Boost Mobile, wireless, Dish TV and Sling TV services all remained up and running throughout the duration of the cyber incident. They also reiterated that the outages related to the incident negatively impacted its disconnects and churn for Dish TV, but the outages didn’t materially affect its Boost Mobile or Sling TV subscribers.

Dark web scanning

Dish’s template letter filed with the office of the Maine Attorney General said Dish had received confirmation that the information extracted from its databases has been deleted. It continues to conduct online monitoring and dark web scanning and “we have no evidence the extracted data has been misused,” Dish said.

The company said the process of locating personal information in the extracted dataset and matching that information to individuals so that they could be notified was complex and time-consuming. Most of that work was completed on May 8 and then Dish began notifying people whose personal information was exposed.

While some states give residents a right to credit monitoring as a result of a breach, Dish said it’s going to offer credit monitoring to everyone whose personal information appears to have been compromised regardless of where they live. The offer for free credit monitoring is good for two years.