Communications Litigation Today was a Warren News publication.
Offer 'Inadequate'

Credit Monitoring Firm Warned Dish Customer Her PII Was Stolen in Data Breach

June 12, 2023 by Rebecca Day|Top News

After Dish’s February data breach disclosure (see 2305080049), Laura Vest, of Elliston, Virginia, was notified by credit monitoring service Experian that her personally identifiable information had been found on the dark web, alleged Vest’s class action (docket 1:23-cv-01462) Thursday in U.S. District Court for Colorado in Denver. Vest's class action was the ninth filed against Dish since the company disclosed the data breach.

Dish informed her in a breach notification letter dated May 17 that her PII was compromised in the breach. As a result, Vest has been forced to, and will continue to have to, invest “significant time monitoring her accounts to detect and reduce” the likely consequences of identity fraud, said the complaint.

Dish said about 296,000 people were affected by the data breach, said the complaint, citing a data breach notification webpage from the Office of the Maine Attorney General’s website. The breached PII included social security numbers, names, addresses, dates of birth, and driver’s license numbers, said the complaint.

PII has high value to criminals, said the complaint, saying PII can be sold at a price of $40-$200, and bank details from $50-$100, it said. Criminals can also buy entire company data breaches at a price of $900 to $4,500, it said, citing a 2015 National Public Radio report.

Dish offered data breach victims two years of free identity protection services, said the complaint. It called the offer “inadequate” because “identity thieves often hold onto personal information" in order to commit fraud years after such free programs expire.

Dish “disregarded the rights” of plaintiffs and class members by intentionally and negligently failing to take adequate measures to protect its internal servers; failing to disclose it didn’t have robust security protocols and training practices in place to safeguard their PII; failing to prevent the data breach; concealing the breach for an “unreasonable duration of time”; and failing to notify victims of the breach promptly, said the complaint.

In the lawsuit, Vest asserts claims of negligence, breach of implied contract and unjust enrichment against Dish. She seeks awards of statutory damages or penalties to the extent available, pre-judgment interest, restitution and monetary relief, the complaint said. Dish didn't comment Friday.