Hawaii Community College last week paid an undisclosed sum to a ransomware group that stole the personal information of approximately 28,000 people and threatened to post it online.
The college posted a statement on its website July 26 that it had “made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised.”
The ransomware group NoEscape claimed responsibility for the attack, threatening to publish 65 gigabytes of stolen data from the institution on June 19. The college said the group has a “documented history of publicly posting the stolen personal information of individuals when agreement with the impacted entity was not reached.”
The college said it worked with an external team of cybersecurity experts until it had “reached an agreement with the threat actors to destroy all of the information it illegally obtained.” The college did not disclose how much it paid NoEscape, which is believed to be a successor to the Avaddon ransomware group. Avaddon previously requested as much as $10 million from its victims.
The college said it’s sending letters to those affected with offers of credit monitoring and identity theft protection. The college recommended those impacted freeze their credit, review their account statements carefully and implement multi-factor authentication on their devices.
The college said it will continue to restore its IT infrastructure, with an estimated completion date of Aug. 14.