Full Report
Social Security numbers and other personal information from participants in a University of Hawaiʻi Cancer Center study were exposed to computer hackers in August but four months later UH had yet to notify those affected that their data was stolen. UH outlined the ransomware attack in a report to the Legislature in December, which appears to be…
Analysis Summary
# Incident Report: UH Cancer Center Data Compromise (Ransomware)
## Executive Summary
In August, computer hackers successfully conducted a ransomware attack against the University of Hawaiʻi (UH) Cancer Center, resulting in the exposure of sensitive personal information, including Social Security numbers, belonging to study participants. UH formally reported the breach to the Legislature in December, approximately four months after the incident occurred, and has subsequently been criticized for a lack of transparency and delays in notifying affected individuals.
## Incident Details
- Discovery Date: Not explicitly stated, but reported to Legislature in December (after the August incident).
- Incident Date: August (Year not specified, but context implies recent).
- Affected Organization: University of Hawaiʻi (UH) Cancer Center.
- Sector: Healthcare/Education/Research.
- Geography: Hawaiʻi, USA.
## Timeline of Events
### Initial Access
- Date/Time: August (Specific date/time not provided).
- Vector: Ransomware attack.
- Details: Hackers gained access and compromised data related to a UH Cancer Center study.
### Lateral Movement
- Details: Unknown, but implied by the extent of the data compromise and ransomware deployment.
### Data Exfiltration/Impact
- Details: Social Security numbers and other personal information belonging to study participants were exposed to hackers. Research files were held for ransom.
### Detection & Response
- Date/Time: Incident occurred in August. Report filed with the Legislature in December (a four-month delay). Notification to affected parties was also delayed (haven't been notified four months later).
- Response actions taken: UH engaged with the hackers (implied by "engaged with hackers") and outlined the attack in a December report to the Legislature. Officials declined interviews and withheld key details (e.g., specific project, breach scope, ransom paid).
## Attack Methodology
- Initial Access: Ransomware attack.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Social Security numbers and other personal information were collected from the cancer study data.
- Exfiltration: Data was stolen/exposed to the hackers.
- Impact: Encryption/locking of Cancer Center research files (implied by ransomware) and data exposure.
## Impact Assessment
- Financial: Unknown, specifically whether UH paid a ransom is undisclosed.
- Data Breach: Social Security numbers and other personal information of study participants compromised. The exact number of affected participants is undisclosed.
- Operational: Cancer Center research files were inaccessible due to the ransomware lock.
- Reputational: UH faced criticism for significant delays (four months) in notifying victims and lack of transparency regarding the scope and engagement with the attackers.
## Indicators of Compromise
- *No specific network, file, or behavioral IOCs were detailed in the provided context.*
## Response Actions
- Containment measures: Unknown.
- Eradication steps: Unknown.
- Recovery actions: UH was working to regain access to Cancer Center research files.
## Lessons Learned
- The incident highlighted significant deficiencies in breach disclosure and notification timeliness, as UH reported the incident to the Legislature four months after it happened and still had not notified victims.
- Key operational details regarding the scope and handling (e.g., ransom payment) of the incident were intentionally withheld by officials.
## Recommendations
- Update and strictly enforce state-mandated notification timelines following data incidents.
- Ensure comprehensive documentation is retained regarding the full scope of compromised data fields (SSNs, PII count) and any interactions or payments made to threat actors.
- Establish and adhere to clear communication protocols to ensure timely and transparent notification to affected individuals following confirmed data breaches.