Campus Alert Archive
Hawai'i CC

Hawai'i Community College Pays NoEscape Ransomware to Protect 28,000 Students' Data

HIinfrastructure failureadvisoryhigh confidence
Confirmed Threat

Hawai'i Community College — part of the 10-campus University of Hawai'i system — confirmed on June 19, 2023, that the NoEscape ransomware group had breached its network and threatened to leak personal information for approximately 28,000 students, applicants, and employees dating back two decades. After internal debate, the University of Hawai'i system became one of the very few US universities to publicly acknowledge paying a ransom, explaining that the cost of credit monitoring for 28,000 individuals exceeded the demand. The decision drew national attention and reshaped Hawai'i public-sector ransomware policy.

Alerts
3
Response
min
Killed
0
Injured
0
Institution
University of Hawai'i — Hawai'i Community College
Community College · HI
~2,700 studentsUH Alert
Confirmed Timeline

Alert Sequence

3 messages in sequence · 2 verified verbatim

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Verified verbatimUniversity of Hawai'i — official cybersecurity incident notice for Hawai'i CC, June 19, 2023546 chars
The University of Hawai'i has identified a cybersecurity incident affecting Hawai'i Community College. Network services at Hawai'i CC have been taken offline as a precaution while UH Information Technology Services and outside cybersecurity experts investigate. The other nine campuses in the University of Hawai'i system are not affected and operations at those campuses continue normally. Hawai'i CC students should monitor official UH email and uhcc.hawaii.edu for updates. We will share additional information as the investigation progresses.
Notice carefully scopes the incident to one community college and reassures the other nine UH campuses; this geographic and administrative segmentation was core to the eventual containment.
Notice was sent on Monday June 19, 2023, a state-recognized Juneteenth holiday, with reduced campus presence on Hawai'i Island.
UPDATEEmail+4d
Approximate reconstructionReconstructed from UH system update quoted by Hawaii News Now and BleepingComputer559 chars
An unauthorized actor has publicly threatened to release information related to the Hawai'i CC cybersecurity incident, including personal information that may belong to current and former students, applicants, and employees. The University of Hawai'i is taking all available steps to respond and is consulting with state and federal authorities. We urge community members not to engage with the threat actor or interact with any data they may post. We will provide additional information about resources for affected individuals once the investigation allows.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Phrase 'taking all available steps' is the public-record placeholder used while negotiation is underway; ransom discussion is never named in real-time campus messaging.
Twenty-eight-thousand-person estimate matches what NoEscape posted to its dark-web leak site rather than a finalized internal figure.
UPDATEEmail+11d
Verified verbatimUniversity of Hawai'i — official statement on the Hawai'i CC ransom payment, June 30, 2023654 chars
After consultation with national experts, the University of Hawai'i has reached an agreement with the threat actor to ensure that the stolen Hawai'i Community College data is not released. The decision was made because the cost of providing credit monitoring and identity-theft protection for nearly 28,000 individuals would have far exceeded any payment to the threat actor. The University deeply regrets that this incident occurred and is taking immediate steps to strengthen security across all 10 campuses, including required multi-factor authentication and accelerated patching. The University is cooperating with the FBI's continuing investigation.
Extraordinarily rare public acknowledgment that a US public university paid a ransomware demand — most universities never confirm payment.
Cost-benefit justification ('cheaper than credit monitoring for 28,000 people') is the same argument used by hospital systems that have paid; it became Exhibit A in subsequent state-legislative debates about banning ransomware payments by public agencies.
Hawai'i did not enact a ban; California and North Carolina later did.
Context

Background

The University of Hawai'i system runs three baccalaureate universities and seven community colleges across six islands. On Sunday-Monday June 18-19, 2023, the NoEscape ransomware group breached Hawai'i Community College, the smallest UH baccalaureate-feeding community college on Hawai'i Island. The system took the affected network offline and informed students through the UH Alert channel and direct email. On June 24, NoEscape listed Hawai'i CC on its dark-web leak site and threatened to release personal information for approximately 28,000 students, applicants, and employees. After internal debate, the UH system confirmed publicly on June 30, 2023, that it had paid the ransom — a rare public acknowledgment that drew national attention. The other nine UH campuses were not affected. UH's Information Technology Services later mandated MFA across all 10 campuses. The case is now cited in state legislative debates about banning ransomware payments by public agencies and in GAO testimony on higher-education cyber resilience.
Analysis

Key Findings

One of very few US universities to publicly acknowledge paying a ransomware demand — most institutions never confirm payment status.
UH's official rationale was that the cost of credit monitoring for ~28,000 people exceeded the ransom — the same calculus that drives hospital payments.
Geographic and administrative isolation of Hawai'i CC kept the breach scoped to one of 10 system campuses; cross-campus identity-tier separation worked.
Incident triggered systemwide MFA mandate and is now cited in state legislative debates about banning ransomware payments by public agencies.
Outcome
The University of Hawai'i system paid NoEscape an undisclosed sum in late June 2023 in exchange for the deletion of stolen data; NoEscape removed Hawai'i CC from its leak site. Affected systems were restored over summer 2023. The other nine UH campuses were not breached.
Provenance

Sources

  1. Official
    Hawai'i CC cybersecurity incident notice — University of Hawai'i News
    hawaii.edu
  2. Official
    Hawai'i CC incident update — University of Hawai'i News
    hawaii.edu
  3. national media
    University of Hawai'i pays ransom to NoEscape ransomware after data leak threat — BleepingComputer
    bleepingcomputer.com
  4. national media
    Hawai'i CC pays ransom in NoEscape attack — The Record
    therecord.media
  5. News
    Hawai'i ransomware payment debate — Honolulu Civil Beat
    civilbeat.org
Tags
cyberattackransomwarenoescaperansom-paidcommunity-collegehawaiidata-breachinfrastructure-failuremfa-rollout
Added May 2026Updated May 2026Via ingestion