Thousands Affected by Ransomware Attack on Hawaii Company

Thousands Affected by Ransomware Attack on Hawaii Company
In February, company Hawaii Payroll Services suffered a ransomware attack. The company believes the attack was carried out by a criminal who somehow compromised a client's account.
September 28, 2021 • Peter Boylan, The Honolulu Star-Advertiser
Facebook
LinkedIn
Twitter
Print
Email
Ransomware
Shutterstock
(TNS) — About 4,500 customers of a Honolulu payroll processing company were potentially affected by a ransomware attack that exposed Social Security numbers, dates of birth, the full names of clients and bank account information.

In mid-February, Hawaii Payroll Services LLC discovered its servers and databases had been breached by an unauthorized user.

The prohibited access of the servers maintaining company information happened from Feb. 15 to 16, likely by someone "able to gain access to Hawaii Payroll's systems through a compromised client account and execute a privilege escalation attack that enabled the intruder to disable and remove security software and encrypt all data residing in Hawaii Payroll's servers," according to the company.

In response, the company said it suspended all remote client access and asked its third-party vendor that handles information technology operations to evaluate the extent of the intrusion.

Letters were sent in late May to people potentially affected by the attack, but some have been returned unopened, and Hawaii Payroll Services is still trying to gain access to many of the files it was locked out of, said company owner Michelle Wells-Nagamine in an interview with the Honolulu Star-Advertiser.

There have been no reports, so far, that the data is available on the dark web or has been used inappropriately, she said, and some of the encryption information has been released.

"It is an impact for sure, but we have to deal with IT, " Wells-Nagamine said. "We got everything put back in for this year, and we marched forward. That's all I can do."

The company retained "expert forensic assistance " to further investigate and remediate the situation and to suggest security improvements, according to Wells-Nagamine.

Founded in July 2003, Hawaii Payroll Services is a domestic limited liability company, according to the state Department of Commerce and Consumer Affairs. It provides payroll processing, 401 (k) reporting and payroll tax filing.

The company serves more than 120 local companies, including Rainforest at Kilohana Square, Diamond Bakery, Yummy's BBQ and Jean's Warehouse.

Wells-Nagamine filed a police report and a complaint with the Federal Bureau of Investigation's Honolulu field office. Notifications to state regulators and credit reporting agencies are ongoing.

The Honolulu Police Department's Financial Crimes Detail has opened a first-degree unauthorized computer access investigation. No arrests have been made in the case, according to HPD spokeswoman Michelle Yu. The FBI did not immediately reply to a request for an update on the complaint reported by Wells-Nagamine.

Last year proved a boon for Internet criminals as more Americans worked remotely, participated in distance learning or used online resources due to the COVID-19 pandemic. Nationally, Internet crimes increased about 40%, from 467,361 complaints that cost Americans about $3.5 billion in 2019 to 791,790 complaints and $4.2 billion in losses in 2020, according to the U.S. Department of Justice.

Last year the FBI's Internet Crime Complaint Center received 2,474 ransomware reports which accounted for over $29.1 million in losses. Ransomware is a type of malware that encrypts data on a computer making it unusable, according to the FBI.

The dollar figure does not include estimates of lost business, time, wages, files or equipment, or any third-party remediation services acquired by a victim, according to the FBI. In some instances, victims do not report losses to the federal government, generating an artificially low overall ransomware loss rate.

Whoever initiates the attack holds the data hostage until a ransom payment or some other arrangement in exchange for access to the encrypted information is reached. According to the Justice Department, in some cases cyber criminals have pressured victims by threatening to destroy their data or make it public.