of Hawaii Data Breach

By MDL on January 26, 2018

TheUniversity of Hawaii system suffered a data breach as the result of a spear phishing campaign that exposed personal information of up to 2,400 faculty, staff, students, and student applicants. The breach occurred on 25 SEPT 2017, and a description of compromised information was later revealed in October 2017.

The compromised personal data included faculty and staff names and Social Security numbers along with graduate student admissions data, which would include date of birth, address, and “educational information.”

In a Honolulu Star-Bulletin article, Dan Meisenzahl, director of communications for theUniversity of Hawaii system, says that the UH system was targeted in a spear phishing campaign and that “‘multiple servers’ within one school in the university system were affected, and those servers were taken offline.” The affected school was not identified because of the ongoing investigation. UH is working with the FBI to assist in the investigation.

AUniversity of Hawaii System Report to the 2017 Legislature released last week lists the nature of data exposure as “files containing sensitive information discovered while investigating a Business Email Compromise (BEC).”

The section titled “Incident Description” begins, “In October 2017, while investigating an email compromise, network devices on theUniversity of Hawai`i (UH) network were found to contain sensitive information. At this time, UH cannot confirm that any of the sensitive information was taken or that it was misused.” The description of the breach continues, “The network was protected by a firewall, but the attackers were able to find a way around it and retrieved login information to gain access to the network.”

The section titled “Remediation” describes changes to UH policy for encrypting sensitive data at rest and deleting unnecessary data, increased staff education and training, rebuilding, checking, and monitoring systems for backdoors and indicators of compromise, and reviewing network architecture and security controls.

A sample notification letter to possible data breach victims included in the report reads “We are implementing additional security measures in an attempt to detect and prevent similar attacks.” The letter includes an offer for one year of free credit monitoring services which must be activated by 12 FEB 2018.

TheUniversity of Hawaii has been affected by five data breaches between 2009 and 2011, which Meisenzahl described as a “much larger-scale-type incident” than the latest data breach.

UH Information Technology Services (ITS) has sent out several warning emails about phishing scams in recent weeks.

Sources:

Honolulu Star-Advertiser, 2,400 were exposed to phishing scheme, UH tells lawmakers

of Hawaii, Report to the Legislature on Data Exposure at theUniversity of Hawaii (PDF)