Univ. of Hawaii settles with 98,000 over five breaches

The University of Hawaii (UH) has settled a class-action data breach lawsuit brought by nearly 100,000 students, faculty, alumni and staff, according to the plaintiffs' lawyers.

The suit relates to five breaches in all, including one involving the inadvertent posting online of personal information by a faculty member who accidentally uploaded sensitive files to an unencrypted web server. Details included names, Social Security numbers, addresses, birth dates and educational data.

In another incident, hackers gained access to a UH at Manoa parking office computer server that contained the personal data of 53,000 individuals, including 40,870 Social Security numbers and 200 credit card numbers.

UH agreed to provide two years of credit and fraud protection services as part of the agreement.

Attorneys for the plaintiffs said Thursday that this marks the largest-ever class-action and first-ever data breach lawsuit to be settled in Hawaii.

“Offering two years of credit monitoring and fraud restoration services to breach victims should be the standard response by any breaching entity in Hawaii, including government agencies,” attorney Bruce Sherman said.

Members of the class -- 98,000 in all -- will be notified by March 1 of the settlement, which still is subject to court approval.

“The University of Hawaii engaged an expert external consultant to review its information security policies and practices across the university system, including all ten campuses, and is now actively implementing the recommendations as a system-wide security program," a spokeswoman told SCMagazine.com Friday in an email.