Around 300,000 people had their personal information compromised during a wide-range cyberattack that infected computer systems used by Dish Network earlier this year, the company revealed in a disclosure this week.
The disclosure, made to the state attorney general’s office in Maine, is the first confirmation from Dish that personal information was compromised during the attack, which took customer support and billing systems offline for weeks. The Desk was the first to report on the attack and the subsequent outages.
No customer information was compromised in the attack, Dish said, but the personal information of some employees, independent contractors and others whom Dish has business relationships with was impacted. Dish put the total number of people affected by the stolen data at 296,851, and said driver’s license numbers were likely among the trove of information stolen during the attack.
Dish says it has notified many of the people whose information was compromised in the attack, and is offering two years of credit monitoring, reporting and related services through TransUnion. Dish established a toll-free number for those who have questions or need further information about the incident: 1-833-570-3074.
The company’s data breach report was first spotted by Fierce Telecom this week. A reporter at Fierce Telecom asked Dish for more information — including whether the company could address a discrepancy between the number of people whose information was compromised and the amount of workers Dish employs, which is substantially less — but the publication said Dish refused to provide additional information.
Earlier this month, Dish said it spent around $30 million to address the security breach, including hiring a leading cybersecurity firm to address the immediate impacts of the breach and investigate what happened. According to one report, Dish may have also made a partial or full ransom payment to the group responsible for the attack. Dish has not confirmed whether it knows the identity of the group, nor has it said whether it paid anything to them.
For weeks, Dish didn’t know if subscriber data was among the trove of material accessed by cyberattackers, with a spokesperson saying early on that it was too early to know for sure whether customer records were compromised.
“The security of our customers’ data is important to us, and if we learn that information was compromised, we’ll take the appropriate steps and let any impacted customers know,” the spokesperson affirmed. “We’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored. Our Dish TV, Sling TV, Wireless services, and data networks continue to operate and are up and running.”
Many customers were unable to pay their bills because a website used to process credit and debit card payments went down during the attack. Dish said it would not disconnect customers who were unable to pay for their service, and promised paper statements were being mailed to all customers. It later affirmed customer information wasn’t compromised during the attack.