2,400 were exposed to phishing scheme, UH tells lawmakers

University of Hawai'i Logo

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

An employee email security breach at the University of Hawaii at Manoa last fall potentially exposed the names, Social Security numbers and other sensitive information belonging to about 2,400 faculty, staff and graduate student applicants, according to a report to the state Legislature.

Dan Meisenzahl, director of communications for the UH system, told the Honolulu Star-Advertiser that the university system was targeted as part of a “spear phishing campaign” in which hackers use email to entice computer users to reveal confidential information.

“Multiple servers” within one school in the university system were affected, and those servers were taken offline, he said. The school where the hack occurred was not disclosed because of the ongoing investigation.

“The affected systems have been taken care of. The issue has been eradicated,” Meisenzahl said.

The university has been consulting with the FBI in connection with the Sept. 25 breach, and in October the investigation revealed some faculty and staff names and Social Security numbers were compromised, he said.

In addition to the faculty and staff information, a small group of graduate applicants may have had their birthdays, addresses and other educational information on their initial admission applications exposed, Meisenzahl said.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

“We don’t know how this is going to impact our community members, and we hope it has minimal impact, if any at all. We take it very, very seriously,” Meisenzahl said.

UH wrote in its report to lawmakers, released online last week, that the network was protected by a firewall, but the attackers were able to find a way around it and retrieved login information to gain access to the network.

The university also implemented additional security measures to try to “detect and prevent similar attacks,” according to the report to lawmakers. The employee who opened the corrupted email was not identified.

A letter was sent out to the 2,400 individuals to notify them that they might be at risk of fraudulent activities, and to offer those who might have been affected a year of free credit monitoring services. The letter provided few details about the breach because of the ongoing investigation.

Those who might have been affected have until Feb. 12 to activate credit monitoring services, according to the letter reporting the incident, which was signed by Garret T. Yoshimi, chief information officer for the UH system.

This is not the first time the university system has been hacked.

In the 2012 settlement of a lawsuit, the university agreed to provide two years of credit monitoring and fraud restoration services to 98,000 students, alumni, faculty, staff and others who were potentially affected by five data breaches from 2009 to 2011.

“(UH) was a victim of a much larger-scale-type incident, or a number of incidents back in 2009 and 2010, which is one of the reasons why we have probably one of the best cybersecurity teams in the state,” Meisenzahl said.

“We’ve been actively communicating with our community,” he said. “Not only after this incident, but prior, for years now, we’ve been reminding people about these things.”

Since the latest incident, he said multiple emails have been sent out by the UH information technology department to faculty and students warning them about phishing scams.