[BreachExchange] Thousands Affected by Ransomware Attack on Hawaii Company

[Sophia Kingsbury]

https://www.govtech.com/security/thousands-affected-by-ransomware-attack-on-hawaii-company

About 4,500 customers of a Honolulu payroll processing company were
potentially affected by a ransomware attack that exposed Social Security
numbers, dates of birth, the full names of clients and bank account
information.

In mid-February, Hawaii Payroll Services LLC discovered its servers and
databases had been breached by an unauthorized user.

The prohibited access of the servers maintaining company information
happened from Feb. 15 to 16, likely by someone "able to gain access to
Hawaii Payroll's systems through a compromised client account and execute a
privilege escalation attack that enabled the intruder to disable and remove
security software and encrypt all data residing in Hawaii Payroll's
servers," according to the company.

In response, the company said it suspended all remote client access and
asked its third-party vendor that handles information technology operations
to evaluate the extent of the intrusion.

Letters were sent in late May to people potentially affected by the attack,
but some have been returned unopened, and Hawaii Payroll Services is still
trying to gain access to many of the files it was locked out of, said
company owner Michelle Wells-Nagamine in an interview with the Honolulu
Star-Advertiser.

There have been no reports, so far, that the data is available on the dark
web or has been used inappropriately, she said, and some of the encryption
information has been released.

"It is an impact for sure, but we have to deal with IT, " Wells-Nagamine
said. "We got everything put back in for this year, and we marched forward.
That's all I can do."

The company retained "expert forensic assistance " to further investigate
and remediate the situation and to suggest security improvements, according
to Wells-Nagamine.

Founded in July 2003, Hawaii Payroll Services is a domestic limited
liability company, according to the state Department of Commerce and
Consumer Affairs. It provides payroll processing, 401 (k) reporting and
payroll tax filing.

The company serves more than 120 local companies, including Rainforest at
Kilohana Square, Diamond Bakery, Yummy's BBQ and Jean's Warehouse.

Wells-Nagamine filed a police report and a complaint with the Federal
Bureau of Investigation's Honolulu field office. Notifications to state
regulators and credit reporting agencies are ongoing.

The Honolulu Police Department's Financial Crimes Detail has opened a
first-degree unauthorized computer access investigation. No arrests have
been made in the case, according to HPD spokeswoman Michelle Yu. The FBI
did not immediately reply to a request for an update on the complaint
reported by Wells-Nagamine.

Last year proved a boon for Internet criminals as more Americans worked
remotely, participated in distance learning or used online resources due to
the COVID-19 pandemic. Nationally, Internet crimes increased about 40%,
from 467,361 complaints that cost Americans about $3.5 billion in 2019 to
791,790 complaints and $4.2 billion in losses in 2020, according to the
U.S. Department of Justice.

Last year the FBI's Internet Crime Complaint Center received 2,474
ransomware reports which accounted for over $29.1 million in losses.
Ransomware is a type of malware that encrypts data on a computer making it
unusable, according to the FBI.

The dollar figure does not include estimates of lost business, time, wages,
files or equipment, or any third-party remediation services acquired by a
victim, according to the FBI. In some instances, victims do not report
losses to the federal government, generating an artificially low overall
ransomware loss rate.

Whoever initiates the attack holds the data hostage until a ransom payment
or some other arrangement in exchange for access to the encrypted
information is reached. According to the Justice Department, in some cases
cyber criminals have pressured victims by threatening to destroy their data
or make it public.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210929/c28e49e1/attachment.html>