Dish told employees that it was “investigating a cybersecurity incident” and that it was “aware that some data was obtained” from its IT systems as a result of this incident, according to the an internal email sent by CEO Erik Carlson and obtained by The Verge. This comes on the fifth day of an internal outage that has taken down some of the company’s internal networks, customer support systems, and websites such as boostinfinite.com and dish.com.
The email did not contain any details on whether the data was internal Dish information or customer data, although it did say that “the investigation may reveal that the obtained data includes personal information.” The extent of the leak may not be fully known yet, as the email, sent Tuesday morning, said the company was “working around the clock to understand the issue and restore affected systems to as soon as possible” and that it has “limited information at this time.”
Dish has not publicly shared much information about the incident since Friday afternoon, when Carlson mentioned it on an earnings call, and it did not respond to multiple requests for comment from The Verge. MarketWatch reported Tuesday morning that Dish confirmed the cyberattack through a securities filing. The filing said the company only learned about the data exfiltration on Monday and that it was working with “third-party experts and advisors.”
The outage will have an impact on both customers and employees. Dish subscribers, as well as Boost Infinite and Boost Mobile users, are unable to contact customer support to do things like activate new equipment, cancel their service, or even pay some times. Dish currently has a skeleton version of its main website that directs users seeking support to an FAQ page and some basic troubleshooting steps.
A Dish employee said The Verge that management expects them to work overtime to clear the support backlog when systems come back online. They also said that the teams should be on standby, because they are expected to start taking calls within an hour of the systems being restored. “Honestly, I wasn’t looking forward to it,” they said.
Many employees are speaking The Verge that they are paid during the outage even if unable to work, although that is not necessarily the case for everyone. A source who works for a regional service provider contracted to install Dish’s systems said management is “trying to find a way to compensate us for this unpaid time off.” but it is not a sure thing. “I hope Dish does something about that, because a lot of us are living paycheck to paycheck and can’t afford it at this time,” they said.
“I hope they shed more light on the situation.”
Some employees noted that the company was slow to share updates and information, even internally. “I hope they shed more light on the situation,” said one person, while another said their manager’s approach to communicating a one-line daily update was “strange.” (Some Dish employees couldn’t access their emails because the VPN was down and relied on communication from site management.) The latter employee said the first definite thing they heard about a cyberattack is when I asked them about Carlson’s email and they saw a story on CNBC.
There is currently no visible ETA on when Dish’s systems will be back up and running, either from the company itself or internal communications. Some employees report that they are given estimates, but they do not appear to be based on official company policy.