In a rare move, a community college announced it has paid a ransom to hackers after data from roughly 28,000 individuals were compromised.
Hawai‘i Community College, part of the University of Hawai‘i system, announced on Friday it paid an undisclosed amount to an unnamed ransomware group.
“The University of Hawai‘i made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised,” the university said in a statement. The ransomware group’s history of posting personal information when a deal is not reached was a “significant consideration” in the decision to pay, according to the university.
University officials said the deal it reached with the hackers includes the destruction of all of the obtained information.
Ransomware attacks have been increasing in recent months—most recently with file transfer software MOVEit. Law enforcement agencies advise institutions to avoid paying hackers.
“Paying a ransom doesn’t guarantee you or your organization will get any data back,” the FBI said in a statement on its website. “It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
Instead, the FBI suggests contacting a local field office and filing a complaint with the FBI’s Internet Crime Complaint Center.
As higher education institutions continue to see an uptick in attacks, many around the world are finding themselves dipping into funds. According to a 2023 report by the cybersecurity firm Sophos, 56 percent of the higher ed respondents said they had paid a ransom.
The University of Hawai‘i worked with a team of outside cybersecurity experts, according to its statement, in making the decision to pay the ransom and reach an agreement.
“The threat actors continue to bombard our systems with attacks, and they are becoming increasingly sophisticated,” the university said, noting the challenges it faces given its 10 campuses across multiple islands. “We cannot prevent cyberattacks, but we are always working to improve vigilance and readiness in this area.”
More than 28,000 individuals were alerted of the hack, which was first reported on June 13. The potentially affected individuals were offered credit monitoring and identity theft protection services through credit reporting company Experian.