HONOLULU (KHON2) — The University of Hawaii negotiated with cyber criminals for the first time to resolve a ransomware attack on Hawaii Community College.
College officials said they made the difficult decision to prevent sensitive information of tens of thousands from being dumped on the internet.
Get Hawaii’s latest morning news delivered to your inbox, sign up for News 2 You
A spokesman for UH said the data of about 28,000 current and former employees and students was compromised in June, 2023. The criminal entity — which UH said had a confirmed history of posting stolen information when an agreement was not reached — put officials on notice.
“They basically put your company’s name up on a site, on a webpage. It says that if you don’t contact us and and pay within seven days, we are going to compromise all this data and put it on the Internet,” said UH spokesman Dan Meisenzahl.
The payout was in the low six-figure range and officials said it was less than $250,000. Officials said the money did not come straight from taxpayers, but indirectly through State-funded insurance.
“The State of Hawaii has insurance and insurance that would cover if someone fell and hurt themselves on the campus and, of course, a cyber security attack,” Meisenzahl said. “You have an annual fee that you have to pay and then you’re covered and when something happens, you file a claim and that’s exactly what happened in this instance.”
Cyber security experts said UH made the right decision by negotiating.
“And if they do release it, then the potential damage could be far outweigh the cost of paying the ransom,” said CYPAC Cybersecurity & I.T. president Attila Seress. “The kind of data that ends up out onto the dark web are not just names and addresses, but it’s Social Security numbers and sometimes even health information.”
Ransomware attacks often come through malicious emails and the Better Business Bureau said it is always better for an employee to contact their company if a suspicious link is received at work.
“When in doubt, screenshot it, send it to your IT if you have an IT department,” said BBB Hawaii marketplace manager Roseann Freitas. “‘Hey, does this look legitimate?’ And you’d be surprised, a lot of times they’re able to figure that out and it will stop the fraud from happening.”
KHON2 asked Meisenzahl how officials can be sure that the cyber criminals destroyed the stolen data after they received payment.
“Obviously there’s no guarantee, which is why we’re offering credit monitoring and the like to to everyone who’s been impacted. But their business model is to show that they honored their commitment so people will actually pay them,” Meisenzahl said. “On the flip side of that, they are also proven that they will dump the data on the Internet. They have a record of doing this and that’s one of the things that really played into the decision to to come to an agreement, even though it was really a difficult decision.”
Meisenzahl said current and former students and employees from HCCC who believe their information could have been violated should call 1-833-627-2706 from 6 a.m. to 6 p.m. PDT.
UH will be utilizing its Information Technology Services to increase scanning and monitoring to work with the campus’ potential vulnerabilities.