Social Security numbers and other personal information from participants in a University of Hawaiʻi Cancer Center study were exposed to computer hackers in August but four months later UH had yet to notify those affected that their data was stolen.
UH outlined the ransomware attack in a report to the Legislature in December, which appears to be later than required by state law and lacked required information.
UH officials declined an interview request and have refused to provide key information, including which cancer research project had been affected, how many participants’ Social Security numbers were exposed and whether — or how much — UH paid the hackers to regain access to Cancer Center research files.
After hackers exploited study research files at the University of Hawaii Cancer Center, the university engaged with the hackers to obtain tools to regain access to the files. (PF Bentley/Civil Beat/2014)
It’s also unclear how UH ensured the hackers destroyed their copies of the purloined data.
The report indicates that the hackers broke into Cancer Center servers, encrypted files related to a cancer study and demanded payment for a program to decrypt the files.
“UH made the difficult decision to engage with the threat actors in order to protect the individuals whose senstive [sic] information may have been compromised,” UH reported.
“Keeping external stakeholders informed,” the university added, “UH worked with an external team of cybersecurity experts to obtain a decryption tool and to secure destruction of the information the threat actors illegally obtained.”
The university is now working to compile names and addresses to notify study participants who might have been affected, the report says. UH plans to offer credit monitoring and identity theft prevention to those whose personal information was exposed.
In the meantime, the Cancer Center has reset passwords, installed protection software with continual monitoring, rebuilt compromised systems and conducted a third-party assessment of the new security controls.
Report Leaves Many Questions Unanswered
In response to an interview request, UH spokesman Dan Meisenzhal provided a statement with no details beyond those reported to the Legislature.
One unanswered question involves the time it took for UH to report the information to the Legislature, aside from saying an investigation was ongoing.
State law generally requires government agencies to submit reports of security breaches to the Legislature within 20 days of discovering the breach, including “the number of individuals affected by the breach, a copy of the notice of security breach that was issued, the number of individuals to whom the notice was sent, whether the notice was delayed due to law enforcement considerations.”
In this case, UH discovered the breach in August and filed its report with the Legislature in December.
The law provides an exception to the 20-day reporting deadline when “a law enforcement agency informs the government agency that notification may impede a criminal investigation or jeopardize national security.” But the report makes no mention of any such request by law enforcement.
It’s also not clear how UH decided to engage with the hackers. The FBI discourages paying ransoms to hackers.
“Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved,” the agency’s cyber division says on a ransomware webpage.
“At the end of the day, FBI doesn’t have the decryption keys. They’re not going to help you.”
Chuck Lerch, HITech Hui
But that’s hardly a practical solution, says Chuck Lerch, chief experience officer and head of cybersecurity for HITech Hui, an IT and cybersecurity firm in Honolulu.
“Yeah, the FBI always says, ‘don’t pay it,’” Lerch said. “But then, you know, you have the business owner that wants to get back in business, and they want to protect their customers, and they’re going to pay it. I mean, at the end of the day, FBI doesn’t have the decryption keys. They’re not going to help you.”
There’s also the risk that hackers won’t keep promises to provide encryption keys and destroy stolen data if ransoms are paid. Despite the risk, Lerch said many hackers generally follow a code of ethics necessary to operate what he called “the most profitable business in the history of the world.”
“It’s an honor thing to some degree,” he said, “but you never know.”
In the end, Lerch said, it’s most cost-effective to have systems in place to prevent hackers ahead of time.
“Usually an ounce of prevention is definitely worth a pound of rebuilding,” he said. “So it’s, ‘You’re gonna pay now or pay later.’”
Sign up for our FREE morning newsletter and face each day more informed.
Sign Up
Sorry. That’s an invalid e-mail.
Thanks! We’ll send you a confirmation e-mail shortly.
