Cyber Incident Victim: University of Hawaii
Date:
Jan 2015
Location:
United States of America
Summary
The University of Hawaii experienced a cybersecurity breach where an attacker using the alias @MarxistAttorney exploited SQL injection vulnerabilities to access root credentials, MAC addresses, service tags, and usernames for university computers and smart boards. Although the breach did not compromise student or employee personal information, approximately 2,000 lines of system data were publicly dumped out of 65,000 lines acquired. The attacker claimed the intrusion was a protest against high tuition costs and criticized the institution's IT security practices, citing inadequate vulnerability audits. The exploited vulnerability was reportedly patched after the breach. This incident followed prior data security issues at the university, which had previously led to regulatory scrutiny and legal settlements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2015, the University of Hawaii experienced a cybersecurity breach perpetrated by an individual using the alias @MarxistAttorney. The attacker exploited a SQL injection vulnerability to gain unauthorized access to university systems, acquiring approximately 65,000 lines of data. While the publicly released data dump contained only 2,000 lines and excluded student or employee personal information, it included sensitive system credentials such as root usernames and passwords. The compromised data also encompassed technical details for university devices, including MAC addresses, service tags, and usernames associated with every computer and smart board on campus. Upon notification by DataBreaches.net, which provided the vulnerable URL used in the attack, university officials acknowledged the inquiry and initiated an investigation but had not confirmed or denied the breach by the time of the article’s publication on January 7, 2015. The attacker claimed the SQLi vulnerability had been patched post-breach, though the intrusion had already occurred. This incident marked another security failure for the University of Hawaii, which had faced multiple breaches between 2009 and 2011 involving sensitive student data exposures, a critical report from the Liberty Coalition, and a settled class-action lawsuit in 2012.
@MarxistAttorney publicly claimed responsibility for the hack, citing opposition to high tuition costs and student debt as primary motivations. The attacker, self-identifying as a university student burdened by loans, stated the breach aimed to pressure institutions to reduce fees or eliminate tuition entirely. The intrusion methodology focused on exploiting unpatched SQLi vulnerabilities, with the attacker criticizing the university’s IT teams for inadequate security audits. While the 2015 breach did not expose personally identifiable information like earlier incidents, it compromised critical infrastructure data that could facilitate further system intrusions. The University of Hawaii’s delayed public response contrasted with its history of breach settlements and prior criticisms regarding data protection practices. No evidence suggested financial data theft or immediate misuse of the exposed technical information, but the incident highlighted persistent vulnerabilities in the university’s cybersecurity posture amid broader institutional challenges.