Hawaiʻi Community College pays ransom after attackers steal personal info of 28,000 people

Hawaiʻi Community College announced this week that it paid a ransomware gang to delete the information of more than 28,000 people who had their information accessed during an attack last month.

In an update, the community college network said the ransomware attack has been “resolved” but only after they paid the hackers due to concerns about them leaking the stolen information.

“After determining that the compromised data most likely contained personal information of approximately 28,000 individuals, the University of Hawaiʻi made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised,” the school said.

“A significant consideration in this decision-making process was that the criminal entity responsible for the attack has a documented history of publicly posting the stolen personal information of individuals when agreement with the impacted entity was not reached. Working with an external team of cybersecurity experts, UH reached an agreement with the threat actors to destroy all of the information it illegally obtained.”

The attack was claimed by the NoEscape ransomware group, a new gang that emerged in May.

Despite paying the ransom, the community college is still in the process of restoring its IT infrastructure. The wireless network of the school has been returned to normal while the wired network is expected to return to normal operations by August 14.

The school will still be sending breach notification letters to the 28,000 people who were affected and each person will be given access to credit monitoring and identity theft protection services.

While it is common for ransomware victims to pay ransoms, it is rare that they admit to doing so publicly. The debate over whether victims should pay or not is something cybersecurity experts are still at odds over and is part of why ransomware payment bans have largely stalled in state governments across the U.S.

In a survey released on Wednesday, cybersecurity firm Sophos said the education sector reported one of the highest rates of ransom payment – with 56% of the 200 higher education sector respondents confirming that their organization paid a ransom.

Yet despite having the highest rate of payment, respondents said the ransoms “significantly increased recovery costs for both higher and lower educational organizations.”

Higher education organizations that paid ransoms saw average recovery costs of $1.3 million while those that restored their system from backups paid $980,000. Those who paid ransoms also saw longer recovery times, according to Sophos, which said 63% of those who paid recovered from their attacks within a month compared to the 79% who used backups.

“While most schools are not cash-rich, they are very highly visible targets with immediate widespread impact in their communities,” said Chester Wisniewski, field CTO for Sophos.

“The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost. Unfortunately, the data doesn’t support that paying ransoms resolves these attacks more quickly, but it is likely a factor in victim selection for the criminals.”

Hawaiʻi Community College is a two-year community college on the island of Hawai'i that serves more than 2,500 students each year.

The school said that even after the cyberattack, hackers continue to “bombard” their system with attacks that “are becoming increasingly sophisticated.”

Officials at the University of Hawaiʻi said they are increasing scanning and monitoring across the 10-campus multi-island system while “deploying additional security technologies to better protect the campus servers and networks and the information they steward.”

“We cannot prevent cyberattacks, but we are always working to improve vigilance and readiness in this area,” officials said, noting that there were 190 known ransomware attacks against educational institutions from June 2022 and May 2023.