Dish customers kept in the dark as ransomware fallout continues

Dish customers are still looking for answers two weeks after the U.S. satellite television giant was hit by a ransomware attack.

In a public filing published on February 28, Dish confirmed that ransomware was to blame for an ongoing outage and warned that hackers exfiltrated data, which “may” include customers’ personal information, from its systems.

Dish hasn’t provided a substantive update since, despite customers continuing to experience issues — or know if their personal data is at risk.

TechCrunch has heard from customers that still have no access to Dish, or services through its subsidiaries like Boost Mobile. Others say they have been unable to contact Dish customer services since the incident began two weeks ago. We have heard from others who say they have been affected by email and voice phishing attacks exploiting the uncertainty around the Dish incident, and TechCrunch has also heard of customers saying their Dish services were disconnected due to ongoing issues at the company meaning the customers were unable to pay their bill.

In a statement given to TechCrunch on Wednesday, Dish spokesperson Edward Wietecha said that “customers are having trouble reaching our service desks, accessing their accounts, and making payments.” When asked whether Dish was disconnecting customers, Wietecha added that “customers who had their service temporarily suspended for nonpayment received additional time until our payment systems were restored.”

Dish declined to share more details on what customer data was accessed during the incident, with Wietecha telling TechCrunch that “these types of investigations take time.” Instead, Wietecha shared almost an exact copy of the company’s statement that has barely changed since it was first published.

TechCrunch also heard that the impact of the breach could extend far beyond Dish’s 10 million-or-so customers. A former Dish retailer told TechCrunch that Dish retains a wealth of customer information on its servers, including customer names, dates of birth, email addresses, telephone numbers, Social Security numbers, and credit card information. The person said that this information is retained indefinitely, even for prospective customers that didn’t pass Dish’s initial credit check.

Dish declined to comment, but did not dispute the claims. Dish also would not say if the company has the technical ability to detect what internal and customer data, if any, was infiltrated. The company also declined to say whether the company had received, or been made aware of, a ransom demand.

It’s unclear when Dish will recover its affected systems, but given the ongoing impact points to a long road to recovery. Internet records show that Dish hosted its own infrastructure until recently before shifting to Amazon’s cloud service around February 23 — around the time of the ransomware attack — suggesting Dish’s in-house systems may have been severely impacted by the attack.

Brett Callow, a ransomware expert and threat analyst at Emsisoft, tells TechCrunch that this, coupled with the fact the disruption has lasted so long, “implies the attack was significant and that Dish does not have an easy and straightforward path to recovery.”

Dish’s Wietecha told TechCrunch that Dish is “working to restore all of our customer experiences is a top priority, but it will take a little time before things are fully restored.”

It’s also not yet known who is behind the Dish ransomware attack but Bleeping Computer previously reported, citing sources, that Black Basta — which many believe to be a rebranding of the notorious Conti ransomware gang — may be responsible. Dish has yet to appear on Black Basta’s leak site, suggesting that negotiations may be ongoing.

Do you work at Dish? Do you have more information about the Dish cyberattack? You can contact Carly Page securely on Signal at +441536 853968, or by email. You can also contact TechCrunch via SecureDrop.