Skip to content
Campus Alert Archive
Hawai'i CC

Ransomware breach threatened data of about 28,000 people; ransom payment acknowledged

AI-generated · every claim is source-linked
HIinfrastructure failureadvisoryhigh confidence
Confirmed Threat

Hawai'i Community College (part of the 10-campus University of Hawai'i system) confirmed on June 19, 2023, that the NoEscape ransomware group had breached its network and threatened to leak personal information for approximately 28,000 students, applicants, and employees dating back two decades. After internal debate, the University of Hawai'i system became one of the very few US universities to publicly acknowledge paying a ransom, explaining that the cost of credit monitoring for 28,000 individuals exceeded the demand. The decision drew national attention and reshaped Hawai'i public-sector ransomware policy.

Alerts
2
Response
min
Killed
0
Injured
0
Institution
University of Hawai'i — Hawai'i Community College
Community College · HI
All Hawai'i CC cases →
~2,700 studentsUH Alert
Documented Timeline

Alert Sequence

2 messages in sequence · 1 verified verbatim

Some messages in this sequence are documented (their existence, timing, and channel are sourced) but their exact wording is not preserved in the public record. Those entries appear as placeholders; only confirmed text is displayed.

INITIAL ALERTEmail
The University of Hawai'i has identified a cybersecurity incident affecting Hawai'i Community College. Network services at Hawai'i CC have been taken offline as a precaution while UH Information Technology Services and outside cybersecurity experts investigate. The other nine campuses in the University of Hawai'i system are not affected and operations at those campuses continue normally. Hawai'i CC students should monitor official UH email and uhcc.hawaii.edu for updates. We will share additional information as the investigation progresses.
Notice carefully scopes the incident to one community college and reassures the other nine UH campuses; this geographic and administrative segmentation was core to the eventual containment.
Notice was sent on Monday June 19, 2023, a state-recognized Juneteenth holiday, with reduced campus presence on Hawai'i Island.
UPDATEEmail
A update message is documented at this point in the sequence, but its exact wording is not preserved in the public record. The public edition displays only confirmed alert text.
Message elements

How the first alert is built

To check this alert, Claude (an AI) read it in full 25 separate times, independently. Each read decided whether the message answers each of the six questions and gave a short reason. A final reviewer then weighed all 25 and wrote the plain-English verdict you see when you open a row. The score (for example 22/25) is how many reads agreed; the 25 individual reads are tucked underneath if you want to check them.

The University of Hawai'i has identified a cybersecurity incident affecting Hawai'i Community College. Network services at Hawai'i CC have been taken offline as a precaution while UH Information Technology Services and outside cybersecurity experts investigate. The other nine campuses in the University of Hawai'i system are not affected and operations at those campuses continue normally. Hawai'i CC students should monitor official UH email and uhcc.hawaii.edu for updates. We will share additional information as the investigation progresses.

  • Sourcepresent25/25

    Final assessment

    Unanimous: it names the University of Hawaii and UH Information Technology Services, identifying the sender.

    Who is sending the alert and who is responding. People act faster on a message from a clearly identifiable, credible sender, such as a named department, the police, or a branded alert system, than on an anonymous notice. A branded signature counts.

    See all 25 individual reads
    1. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    2. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    3. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    4. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    5. present: "The University of Hawai'i" and "UH Information Technology Services" identify the sender.
    6. present: It names "The University of Hawai'i" and "UH Information Technology Services", identifying the source.
    7. present: It names "The University of Hawai'i" and "UH Information Technology Services", identifying the sender.
    8. present: It names "The University of Hawai'i" identifying the issuing institution.
    9. present: "The University of Hawai'i" and "UH Information Technology Services" identify the sender.
    10. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    11. present: It names "The University of Hawai'i" and "UH Information Technology Services" as sender.
    12. present: "The University of Hawai'i" and "UH Information Technology Services" identify the sender.
    13. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    14. present: It names "The University of Hawai'i" and "UH Information Technology Services", identifying the sender.
    15. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    16. present: It names "The University of Hawai'i" and "UH Information Technology Services" as issuer.
    17. present: It names "The University of Hawai'i", the sender.
    18. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    19. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    20. present: It names "The University of Hawai'i" and "UH Information Technology Services".
    21. present: It names "The University of Hawai'i" as identifying the incident, the sender.
    22. present: Names "The University of Hawai'i" and "UH Information Technology Services".
    23. present: Names "The University of Hawai'i" and "UH Information Technology Services".
    24. present: "The University of Hawai'i" and "UH Information Technology Services" identify the sender.
    25. present: It names "The University of Hawai'i" and "UH Information Technology Services".
  • Hazardpresent25/25

    Final assessment

    Unanimous: it names a cybersecurity incident that took network services offline, a specific hazard.

    What the threat actually is. A complete warning names the specific danger, such as a shooter, a fire, a tornado, or a gas leak, rather than a vague emergency, because people decide what to do based on what they are facing.

    See all 25 individual reads
    1. present: It names "a cybersecurity incident" and ransomware-style network shutdown, a specific hazard.
    2. present: It names "a cybersecurity incident" affecting the college.
    3. present: It names "a cybersecurity incident", a specific threat.
    4. present: It names "a cybersecurity incident" affecting the college, a specific threat.
    5. present: It names "a cybersecurity incident" and ransomware-style network outage, a specific hazard.
    6. present: It names "a cybersecurity incident" affecting the college, a specific hazard.
    7. present: It names "a cybersecurity incident" affecting the college, a specific threat.
    8. present: It names "a cybersecurity incident" affecting the college.
    9. present: It names a "cybersecurity incident" and that "Network services... have been taken offline".
    10. present: It names a "cybersecurity incident" with "Network services taken offline".
    11. present: It names a "cybersecurity incident" affecting the campus, a specific threat.
    12. present: It names "a cybersecurity incident" affecting the college, a specific hazard.
    13. present: It names "a cybersecurity incident" affecting the college, a specific threat.
    14. present: It names "a cybersecurity incident" and ransomware-style network takedown, a specific hazard.
    15. present: It names "a cybersecurity incident", a specific threat.
    16. present: It names "a cybersecurity incident" affecting the college, a specific threat.
    17. present: It names a "cybersecurity incident" affecting the college, a specific hazard.
    18. present: It names "a cybersecurity incident", a specific threat.
    19. present: It names a "cybersecurity incident" affecting Hawai'i CC, a specific threat.
    20. present: It names "a cybersecurity incident", a specific threat.
    21. present: It names "a cybersecurity incident" and ransomware-type network compromise, a specific threat.
    22. present: Names "a cybersecurity incident", a specific threat.
    23. present: Names a "cybersecurity incident" affecting Hawai'i Community College, a specific threat.
    24. present: It names "a cybersecurity incident" affecting Hawai'i CC, a specific threat.
    25. present: It names a "cybersecurity incident" affecting the college.
  • Locationpresent25/25

    Final assessment

    Unanimous: it locates it at Hawaii Community College and the system campuses, a stated location.

    Where the threat is. Saying whether danger is in a specific building, a part of campus, or area-wide lets people judge their own proximity and choose a safe direction. Without a where, a warning is hard to act on precisely.

    See all 25 individual reads
    1. present: It locates it at "Hawai'i Community College" and the UH system campuses.
    2. present: It locates it at "Hawai'i Community College".
    3. present: It says "Hawai'i Community College", a place.
    4. present: It locates it at "Hawai'i Community College".
    5. present: It specifies "Hawai'i Community College" and "the other nine campuses".
    6. present: It specifies "Hawai'i Community College" and the other campuses, specific locations.
    7. present: It locates it at "Hawai'i Community College", a specific place.
    8. present: It names "Hawai'i Community College" and the system campuses.
    9. present: It locates it at "Hawai'i Community College".
    10. present: It locates it at "Hawai'i Community College".
    11. present: It specifies "Hawai'i Community College" and the nine other campuses.
    12. present: It names "Hawai'i Community College" and the campuses.
    13. present: It names "Hawai'i Community College" and the nine other campuses.
    14. present: It names "Hawai'i Community College" and the nine other campuses, specific locations.
    15. present: It locates it at "Hawai'i Community College".
    16. present: It names "Hawai'i Community College" and the campus, specific places.
    17. present: It names "Hawai'i Community College", a specific place.
    18. present: It locates it at "Hawai'i Community College".
    19. present: It locates it at "Hawai'i Community College" and "Hawai'i CC".
    20. present: It names "Hawai'i Community College" and its network.
    21. present: It locates it at "Hawai'i Community College", a specific place.
    22. present: Locates it at "Hawai'i Community College".
    23. present: Locates it at "Hawai'i Community College" and other named campuses.
    24. present: It names "Hawai'i Community College" and the other "nine campuses", specific places.
    25. present: It locates it at "Hawai'i Community College".
  • Guidancepresent25/25

    Final assessment

    Unanimous: it tells students to monitor official UH email and the website for updates, a recipient action.

    The protective action to take. A clear, specific instruction, such as shelter in place, evacuate, avoid the area, or run-hide-fight, drives faster and more correct protective behavior than describing the threat alone.

    See all 25 individual reads
    1. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    2. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    3. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    4. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    5. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    6. present: It tells Hawai'i CC students to "monitor official UH email and uhcc.hawaii.edu for updates", a recipient action.
    7. present: It instructs students to "monitor official UH email and uhcc.hawaii.edu for updates", a protective action.
    8. present: It instructs students to "monitor official UH email and uhcc.hawaii.edu for updates".
    9. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    10. present: It instructs students to "monitor official UH email and uhcc.hawaii.edu for updates".
    11. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    12. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    13. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    14. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates", a protective action.
    15. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    16. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    17. present: It instructs students to "monitor official UH email and uhcc.hawaii.edu for updates".
    18. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    19. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    20. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    21. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    22. present: Tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    23. present: Tells students to "monitor official UH email and uhcc.hawaii.edu for updates".
    24. present: It tells students to "monitor official UH email and uhcc.hawaii.edu for updates", a recipient action.
    25. present: It instructs students to "monitor official UH email and uhcc.hawaii.edu for updates".
  • Timeabsent4/25

    Final assessment

    Strong consensus: no clock time, date, or recency cue appears, so timing is absent; a few read present-tense phrasing as recency.

    When the message applies. A timestamp, the word now or immediately, or a phrase like until further notice tells the reader whether the danger is current and how quickly to act.

    See all 25 individual reads
    1. absent: No clock time, date, or recency cue such as "now" appears.
    2. absent: No clock time, date, or recency cue such as "now" appears.
    3. absent: No clock time, date, or recency cue appears in the text.
    4. absent: No clock time, date, or recency cue appears in the text.
    5. absent: No clock time, date, or recency cue like "now" appears in the text.
    6. absent: No clock time, date, or recency cue such as "now" appears in the text.
    7. present: It conveys recency with "have been taken offline" and "as the investigation progresses".
    8. absent: No clock time, date, or recency cue appears in the text.
    9. absent: No clock time, date, or recency cue appears.
    10. absent: No clock time, date, or recency cue appears in the text.
    11. absent: It gives no clock time, date, or recency cue for the incident.
    12. absent: No clock time, date, or recency cue such as "now" appears.
    13. absent: No clock time, date, or recency cue appears in the text.
    14. absent: It says updates will come but gives no clock time, date, or recency cue.
    15. absent: No clock time, date, or recency cue such as "now" appears in the text.
    16. absent: No clock time, date, or recency cue such as "now" appears in the text.
    17. absent: No clock time, date, or recency cue such as "now" is given.
    18. present: It uses recency cues, "taken offline as a precaution while ... investigate".
    19. present: It uses recency cues like "have been taken offline" and "as the investigation progresses".
    20. present: It uses present-tense recency "have been taken offline" and "as the investigation progresses".
    21. absent: No clock time, date, or recency cue is given for the incident.
    22. absent: No clock time, date, or recency cue such as "now" appears.
    23. absent: No clock time, date, or recency cue appears in the text.
    24. absent: No clock time, date, or recency cue such as "now" appears.
    25. absent: No clock time, date, or recency cue such as "now" appears.
  • Impactabsent0/25

    Final assessment

    Absent by unanimous 25-0 read; the ransomware message names the incident but states no harm, danger, or consequence to people.

    What the hazard could do to the people in its path. Beyond naming the threat, a complete warning conveys its potential consequences or severity, such as that a tornado can level buildings or that a leak could be explosive, so recipients grasp how much danger they are in. Research on warning message content finds that a concrete impact statement helps people personalize their risk and act sooner.

    See all 25 individual reads
    1. absent: Reports a cybersecurity incident with services taken offline as a precaution but states no harm or serious consequence.
    2. absent: Describes a cybersecurity incident and network services taken offline but states no harmful consequence beyond service disruption.
    3. absent: Describes a cybersecurity incident with network services taken offline but states no harm to people or property beyond the disruption itself.
    4. absent: It describes a cybersecurity incident with services taken offline but states no harm or consequence to people or operations.
    5. absent: It describes a cybersecurity incident and offline services but states no concrete harm or severity to people or property.
    6. absent: Describes a cybersecurity incident and precautionary network shutdown without stating any damage or consequence.
    7. absent: It describes a cybersecurity incident and services taken offline as a precaution but states no consequence or harm severity.
    8. absent: Describes a cybersecurity incident with services taken offline as a precaution but states no harm or severity consequence.
    9. absent: Describes a cybersecurity incident and network outage but states no harm, danger, or severity to people or property.
    10. absent: This describes a cybersecurity incident with services taken offline as a precaution but states no harm, consequences, or danger to people.
    11. absent: Describes a cybersecurity incident with network services taken offline but states no harm or severity to people or property.
    12. absent: The cybersecurity notice describes network services taken offline as a precaution with no stated harm or severity to people or property.
    13. absent: This describes a cybersecurity incident with services taken offline but states no specific consequence or severity of harm.
    14. absent: Describes a cybersecurity incident and network outage but states no consequence or harm beyond services being offline.
    15. absent: Describes a cybersecurity incident and network shutdown but states no consequence or harm to people or systems.
    16. absent: This describes a cybersecurity incident with services taken offline as a precaution but states no harm or severity beyond network disruption.
    17. absent: It describes a cybersecurity incident with services taken offline as a precaution but states no consequence or harm beyond the disruption being named.
    18. absent: This describes a cybersecurity incident and network outage as a precaution but states no harm or consequence beyond services being offline.
    19. absent: This describes a cybersecurity incident with services taken offline as a precaution but states no consequence beyond service disruption and names only the hazard.
    20. absent: Describes a cybersecurity incident and network services taken offline but states no consequence or harm beyond the disruption itself.
    21. absent: Describes a cybersecurity incident and precautionary network shutdown but states no harm or consequence to people or property.
    22. absent: Describes a cybersecurity incident with services taken offline but states no harm or consequence beyond the precautionary outage.
    23. absent: Reports a cybersecurity incident with services taken offline as a precaution but states no harm or consequence.
    24. absent: The cybersecurity notice says services were taken offline as a precaution but states no harm, damage, or severity beyond naming the incident.
    25. absent: Describes a cybersecurity incident with services taken offline but states no consequence or harm beyond the outage.

Systematic AI judgments with visible reasoning, not human-validated codings.

About this analysis
Context

Background

The University of Hawai'i system runs three baccalaureate universities and seven community colleges across six islands. On Sunday-Monday June 18-19, 2023, the NoEscape ransomware group breached Hawai'i Community College, the smallest UH baccalaureate-feeding community college on Hawai'i Island. The system took the affected network offline and informed students through the UH Alert channel and direct email. On June 24, NoEscape listed Hawai'i CC on its dark-web leak site and threatened to release personal information for approximately 28,000 students, applicants, and employees. After internal debate, the UH system confirmed publicly on June 30, 2023, that it had paid the ransom, a rare public acknowledgment that drew national attention. The other nine UH campuses were not affected. UH's Information Technology Services later mandated MFA across all 10 campuses. The case is now cited in state legislative debates about banning ransomware payments by public agencies and in GAO testimony on higher-education cyber resilience.
Analysis

Key Findings

One of very few US universities to publicly acknowledge paying a ransomware demand, most institutions never confirm payment status.
UH's official rationale was that the cost of credit monitoring for ~28,000 people exceeded the ransom, the same calculus that drives hospital payments.
Geographic and administrative isolation of Hawai'i CC kept the breach scoped to one of 10 system campuses; cross-campus identity-tier separation worked.
Incident triggered systemwide MFA mandate and is now cited in state legislative debates about banning ransomware payments by public agencies.
Outcome
The University of Hawai'i system paid NoEscape an undisclosed sum in late June 2023 in exchange for the deletion of stolen data; NoEscape removed Hawai'i CC from its leak site. Affected systems were restored over summer 2023. The other nine UH campuses were not breached.
Provenance

Sources

  1. Official
  2. Official
  3. national media
  4. national media
  5. News
Cite this case

Campus Alert Archive. "University of Hawai'i — Hawai'i Community College: Ransomware breach threatened data of about 28,000 people; ransom payment acknowledged." Incident of June 19, 2023. Added May 2026; last updated July 2026. https://campusalertarchive.com/case/university-of-hawaii-nccc-ransomware-2023-06-19/

Download case JSON

Alert text quoted on this page remains the work of the issuing institution; the archive is a secondary source.

Tags
cyberattackransomwarenoescaperansom-paidcommunity-collegehawaiidata-breachinfrastructure-failuremfa-rollout
Added May 2026Updated July 2026Via ingestion