Dish 'received confirmation' ransomware gang deleted stolen data

Dish Network said in a data breach notification this week that it had "received confirmation" that data stolen by threat actors in a February ransomware attack was deleted, suggesting the company had paid the ransom.

The satellite television provider revealed on Feb. 28 via an 8-K filing that it had suffered a ransomware attack. Dish initially reported network and service disruptions on Feb. 23, and it was one of many major U.S. enterprises hit by ransomware attacks that month. In the 8-K filing, the company revealed that the attack affected internal servers and communications, including customer call centers and Dish websites, and that personal data might have been affected.

A breach notification letter sent to those affected this week provided additional clarification regarding the nature of the attack. Dish said customer databases were not accessed during the attack, but it had confirmed that "certain employee-related records and personal information (along with information of some former employees, family members and a limited number of other individuals) were among the data extracted."

According to the Office of the Maine Attorney General's website, stolen data included "Name or other personal identifier in combination with: Driver's License Number or Non-Driver Identification Card Number."

In addition, the notification letter included language suggesting Dish paid the ransom.

"We are not aware of any misuse of your information, and we have received confirmation that the extracted data has been deleted," the notification read. "Nevertheless, we are writing to notify you of this incident and to provide you with the information and resources contained in this letter, including the details of an offer for free credit monitoring through our vendor TransUnion."

Ransomware gangs generally only delete stolen data -- or provide a decryption key, when relevant -- after the victim pays an extortion fee.

TechTarget Editorial asked Dish Network whether it paid the ransom and how it "confirmed" that cybercriminals deleted data stolen in the ransomware attack, but the company has not responded at press time.

This is not the first time that a ransomware victim has referenced the deletion of stolen data in a breach notification. Following a ransomware attack in July 2022, digital marketing platform WordFly published a FAQ that indicated the company paid a ransom in exchange for the threat actors deleting stolen customer data.

"While this data was exported from the WordFly environment by the bad actor that perpetrated this incident, it is our understanding that as of the evening of July 15, 2022, that data has been deleted from the bad actor's possession," wrote Kirk Bentley, WordFly business development director, in the FAQ. "We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked over the dark web and/or sent to any other public facing domain/disseminated elsewhere."

Alexander Culafi is a writer, journalist and podcaster based in Boston.