Ransomware attack exposes 1.2 million University of Hawaii Cancer Center records

The University of Hawaii’s (UHs) Cancer Center made public last week that it was the victim of a ransomware attack dating back to last summer that included the exposure of Social Security and driver’s license records for 1.2 million people.

In a public release on Feb. 27, the university said the attack on the Cancer Center’s Epidemiology Division — first identified on Aug. 31, 2025 — was limited to research operations and had no impact on clinical operations or patient care.

However, while UH said it initially believed only research files pertaining to a specific cancer study were involved, further investigation confirmed the existence of a set of personal information files of the participants dating back to the 1990s, which included Social Security numbers, state driver’s license numbers, and city of Honolulu voter registration records.

The university pointed out that during the investigation, UH engaged with the threat actors and worked closely with cybersecurity experts to obtain a decryption tool that resulted in the destruction of the information the threat actors illegally obtained.

Related reading:

What’s of special note to security pros is that because of the extensiveness of the encryption by the threat actors, UH officials said it took "some time" for them to restore the affected systems and be in a position to assess the impact to data.

Jason Soroko, a senior fellow at Sectigo, explained that when adversaries aggressively encrypt not only primary data stores, but also indexing systems and potentially localized backups, the forensic process of identifying what was compromised becomes complex.

“Security teams are then forced into a recovery phase, having to rebuild systems from the ground up and piece together fragmented data to conduct accurate discovery before they can confidently notify affected individuals,” said Soroko.

Soroko added that security teams must enforce aggressive network segmentation and deploy immutable, offline backups that cannot be easily reached by automated ransomware strains. With certificate-based authentication, along with automated certificate lifecycle management, Soroko said organizations can revoke compromised credentials, identify anomalous encrypted traffic, and shrink the window of opportunity a ransomware operator has to map the network and achieve their goals.

Michael Bell, chief executive officer at Suzu Labs, added that the encryption delay is real and typical for organizations that don't have a data inventory. Bell said UH couldn't assess what was compromised because they didn't know what lived on those servers until they decrypted them and looked.

“That's how they found 1990s-era research files with 1.2 million Social Security numbers nobody knew were there,” said Bell. “The encryption slowed the timeline, but the data retention failure is what created the exposure. Organizations that maintain a proper data inventory already know what's on the affected systems and can start the notification process while restoration is still underway instead of waiting months to find out.”

Bell said research from his team also found more than 1,500 hawaii.edu credentials with plaintext passwords circulating on the dark web in the last 30 days alone, many in large combo lists specifically targeting .edu domains.

“University IT and security teams across the board should treat credential exposure as an ongoing problem, not something they check after an incident,” noted Bell.

John Bambenek, president at Bambenek Consulting, said teams should consider that many breach notification laws include a “safe harbor” provision that cites notification isn’t necessary if attackers can't access the underlying data because of strong encryption.

“That means the attacker likely had their hands on enough data to engage in identity or credit fraud for six months when the affected individuals could have had credit monitoring or freezes put in place to protect themselves,” said Bambenek.