Hawaii payroll processing firm has confirmed the data breach which affected nearly 4,500 customers. The company suffered a ransomware attack in mid-February that exposed social security numbers, dates of birth, the full names of clients, and bank details.
“The company’s server were breached by someone able to gain access to Hawaii Payroll's systems through a compromised client account and execute a privilege escalation attack that enabled the intruder to disable and remove security software and encrypt all data residing in Hawaii Payroll's servers," according to the company.
To mitigate the risks, the firm suspended all remote client access and asked its third-party vendor that manages information technology operations to examine the extent of the breach. The company filed a complaint with the Federal Bureau of Investigation's Honolulu field office and also notified state regulators and credit reporting agencies.
Earlier this year in May, the company sent letters to customers potentially impacted by the ransomware attack, but some were returned unopened, and the company is still trying to secure access to many of the files that were encrypted by the attacker, said company owner Michelle Wells-Nagamine in an interview with the Honolulu Star-Advertiser.
Fortunately, there have been no reports of data leakage on the dark web. "We got everything put back in for this year, and we marched forward. That's all I can do. The company retained "expert forensic assistance to further investigate and remediate the situation and to suggest security improvements,” she added.
According to the state Department of Commerce and Consumer Affairs, Hawaii Payroll Services, established in July 2003, is a domestic limited liability that offers payroll processing, 401 (k) reporting, and payroll tax filing. It serves more than 120 local companies, including Rainforest at Kilohana Square, Diamond Bakery, Yummy's BBQ and Jean's Warehouse.
According to the U.S. Department of Justice, cybercrimes surged by 40% in 2020, from 467,361 complaints that cost U.S. citizens nearly $3.5 billion in 2019 to 791,790 complaints and $4.2 billion in losses in 2020. Additionally, the FBI's Internet Crime Complaint Center received 2,474 ransomware reports last year which accounted for over $29.1 million in losses.
However, estimates of lost business, time, wages, files or equipment, or any third-party remediation services acquired by a victim were not included in a dollar figure. In some instances, victims do not report losses to the federal government, generating an artificially low overall ransomware loss rate.
