After a ransomware attack which saw the personal information of 28,000 individuals stolen by hackers, Hawaii Community College has confirmed that it has paid a ransom.
In a statement published on the University of Hawaii website, the college said that it had made the “difficult decision” to negotiate with the cybercriminals because of the likelihood that stolen personal data would be publicly posted if a ransom was not paid.
The University of Hawaii says that it has now reached an agreement with the cybercriminals (believed to be from the NoEscape ransomware group) that the illegally-obtained information would be destroyed, and continues to work on restoring its network which it expects to complete by mid-August.
There are divided opinions as to whether ransoms should be paid by organisations hit by a ransomware attack. Although it’s clear that paying a ransom will encourage cybercriminals to launch more attacks, I believe we should also remember that those hit by ransom may feel that they have no other option.
After all, if you don’t pay a ransom demand you are not only risking that the sensitive information of employees, partners, and the public will be released into the wild (at no fault of their own), but you could also be risking the very future of your organisation.
Although relatively rare, there are cases of companies which have gone bust after being hit ransomware, meaning innocent people lose their livelihoods.
Sometimes a pragmatic decision has to be made. We all agree that paying cybercriminals leaves a highly unpleasant taste in the mouth, but you may feel that it is the least worst option.
Some 28,000 current and former students and employees of Hawaii Community College are being contacted about the security breach, and offered credit monitoring and identity theft protection services.
The University of Hawaii believes that the Hawaii Community College was the only one ot its campuses to be impacted by the ransomware attack.