DISH Network to Blame for February 2023 Cyberattack by Russian Hackers, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims DISH Network Corporation failed to protect the personal information of consumers and employees during a February 2023 ransomware attack.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 41-page lawsuit says that the IT systems of the satellite TV company—one of the largest in the United States—were hacked on February 23, purportedly by Russian ransomware gang Black Basta. The suit relays that the cyberattack caused a 24-hour “outage” that impacted Dish.com, the Dish Anywhere app, Dish Wireless subsidiary Boost Mobile and other DISH-operated websites and networks.

According to the case, the information compromised in the breach included, without limitation, consumer and employee names, dates of birth, telephone numbers, physical addresses, email addresses, driver’s license or state ID card numbers, Social Security numbers and bank account and credit card details.

The complaint argues that the cyberattack was a direct result of DISH’s failure to implement proper data security to protect the highly sensitive information housed in its network, which the suit describes as a “gold mine for a ransomware gang like Black Basta.”

Though DISH notified certain consumers of the breach by email in mid-March, the company has yet to send notices to the “vast majority” of impacted customers, the filing shares. As the lawsuit tells it, DISH has also failed to provide any information regarding precisely what data was accessed and stolen.

Given the frequency of data breaches in recent years, DISH should have known that its obligation to properly defend its computer systems was “particularly important,” the suit charges.

The plaintiff, a North Carolina DISH customer, learned that her private information had been compromised in the breach when she discovered that more than $200 had been withdrawn from her DISH account without her authorization, the case shares. After calling customer service, the plaintiff was informed by a DISH representative that her data had been accessed during the incident, the complaint says.

The filing contends that the identities of victims like the plaintiff are significantly at risk as a result of the company’s negligence, namely because the sensitive information entrusted to it is now “in the hands of data thieves and unauthorized third-parties [sic].”

In a May 8 statement posted on its website, DISH shared that its investigation into the cyberattack is “now substantially complete,” and that the company has “determined that our customer databases were not accessed in this incident.” In the statement, DISH claimed to be “working to enhance our cyber defenses and overall security posture” in the wake of incident, among other measures.

The lawsuit looks to represent anyone in the United States who had personal information stolen as a result of the DISH data breach, including all who were sent a notice of the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.