A ransomware attack against US satellite TV provider DISH Network which took place in February 2023, which resulted in the theft of personal information, drivers license numbers and other “non-driver” ID numbers. DISH reported a cybersecurity investment of about $30 million in response during Q1 2023.
Upon its discovery, DISH temporarily shut down its internal IT systems and with the support of cybersecurity experts and outside advisors, commenced an investigation which confirmed the incident and notified law enforcement. According to a notice filed by the State of Maine, exactly 296,851 persons were affected.
While DISH had disclosed that certain data had been extracted from its IT systems as part of the incident, it later determined that its customer databases were not accessed. DISH subsequently received confirmation that the extracted data has been deleted. DISH Network’s satellite TV service and its SLING TV and Retail Wireless services, along with its wireless and data networks remained operational at all times during the incident.
According to reporting by TechCrunch, DISH did not provide details about the incident to employees or customers, even though customers had been registering complaints that they could not access their accounts or the DISH satellite and streaming services.
DISH, on the other hand, claimed that “DISH TV, SLING TV and Retail Wireless services, along with our wireless and data networks remained operational at all times during the incident.” This, from DISH’s Form 10-Q quarterly report for the quarter ending March 31, 2023, dated May 8, 2023.
Remediation by DISH
Also according to its quarterly report, “(DISH) incurred certain cyber-security-related expenses, including, but not limited to, costs to remediate the incident and provide additional customer support. During the three months ended March 31, 2023, we have incurred approximately $30 million in (unspecified) cyber-security-related expenses. … We do not expect to incur material expenses in future periods resulting from the cyber-security incident.”
Even though DISH had no evidence that the data has been misused, DISH also notified individuals whose data was extracted during mid-May. DISH also will provide two years of monitoring through the TransUnion credit monitoring service, including credit monitoring, credit reporting and credit services.
Data Breach Notifications (DISH Network LLC). Submitted (approximately) May 20, 2023. Office of the State of Maine Attorney General
Form 10-Q Quarterly Report, DISH Network LLC. Dated May 8, 2023. Web page. EDGAR Search, US Securities and Exchange Commission.
Dish says ransomware gang stole almost 300,000 employee records. Article. by Carly Page. May 22, 2023. TechCrunch
Why it matters
In addition to any potential damage to DISH Network’s reputation and tarnishing of the company’s good will, DISH incurred significant expenses. Notwithstanding the situation with DISH, any video provider must take the responsibility to safeguard not only its content and services in order to protect supplier relationships, but also to protect private customer information and internal digital assets.