Law enforcement and experienced ransomware professionals generally advise victims not to pay any ransom demands. Yet the University of Hawaiʻi Community College decided that they would pay following an attack that they first disclosed on June 13. So why did they make that decision?
In a statement on their website this week, they explain:
After determining that the compromised data most likely contained personal information of approximately 28,000 individuals, the University of Hawaiʻi made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised. A significant consideration in this decision-making process was that the criminal entity responsible for the attack has a documented history of publicly posting the stolen personal information of individuals when agreement with the impacted entity was not reached. Working with an external team of cybersecurity experts, UH reached an agreement with the threat actors to destroy all of the information it illegally obtained.
What information did the university consider so sensitive that it would warrant paying ransom when compared to other data breaches in the education sector where the victims didn’t pay? DataBreaches asked Brett Callow of Emsisoft for his thoughts on why the university paid when most universities take the advice of experts and don’t pay. He replied:
Paying a ransom to ‘protect’ data or individuals makes little sense. There’s absolutely no way for victims to know whether the stolen data will actually be deleted and, given that they’re dealing with untrustworthy bad faith actors, it likely will not be. Why would criminals delete information they may be able to monetize further?
It’s interesting that UH stated the fact the criminals release data online was a “a significant consideration” in the decision to pay. Most ransomware groups release data online, and sometimes that data is extremely sensitive – yet most schools do not pay. Why UH decided that payment was a sensible option is not clear.
The university also announced that notification letters are being sent to approximately 28,000 individuals. The letters will include an offer of credit monitoring and identity theft protection services through Experian.
The university does not say how much it agreed to pay and it did not name the attackers in its announcement, but the listing on the NoEscape dark web leak site was removed. Although the NoEscape ransomware gang first appeared under that name in June of this year, they are believed to be a rebrand of the Avaddon threat actors. They appear to be just another group using the double-extortion model that leaks the data of victims who don’t pay.
By all superficial factors, then, this breach doesn’t seem to have warranted any different treatment or response than other education sector breaches over the past few years. So were the decision-makers of the university just more sensitive to personal information breaches than decision-makers for other universities? Or were they just trying to decrease the chances of a lawsuit?
Those who are not long-time readers of DataBreaches.net may not know that back in 2009-2010, the university system had four breaches affecting about 100,000 students, faculty, and staff. They wound up settling a class-action lawsuit in 2012 by agreeing to provide two years of credit monitoring to those affected (an outcome DataBreaches had predicted), but the state legislature and others were all very concerned and looking at the university system’s infosecurity. Some of the articles on this site from that time included:
- Class-action suit filed against UH over data breaches
- Securing data will be costly, UH says
- Liberty Coalition gives University of Hawaii an ‘F’ for data breaches
- UH computer breach may have compromised 53,000 people
- Four U. Hawaii breaches since 2009 makes at least one student nervous
- University of Hawaii-Manoa Breaches exposes sensitive info on 40,000 students
With the exception of one vendor breach in 2019, things seem to have been pretty quiet since then, until earlier this year when UH Maui College learned in mid-February that there had been a breach of their computer network. That breach was disclosed in April. Did UH fear that a second databreach disclosed just months later would result in another class action lawsuit? Did they pay the attackers, knowing that criminals shouldn’t be trusted to keep their word to try to placate people so there would be no litigation this time? Or was it really out of concern for sensitive data?
Perhaps news media or a legislator in Hawaii can find out more about what kinds of sensitive data UH had on its system that was acquired by the attackers — and why such sensitive information was even accessible to them.