URGENT ACTION REQUIRED: Read this Article on Digital Dangers!

Cybercrime can happen to anyone, even high-ranking government officials. Take it from the state’s Lieutenant Governor, who realized her Alaska Airlines miles account had been drained in January.

“Truly, anyone is susceptible to cyber threats. It’s more common than many people think,” Lt. Gov. Sylvia Luke wrote in an emailed statement to Hawaii Business Magazine. “When I noticed that most of my miles had been redeemed by an unknown individual, I reached out to Alaska Airlines right away, and their team helped me quickly resolve the situation.”

Alaska Airlines confirmed that they promptly returned Luke’s points to her account but declined to comment on whether they identified the individual that stole her miles and if any action was taken against the person. The airline emphasized that protecting its users’ accounts is a top priority. “We routinely implement a number of security safeguards to protect guest information and continue to invest in security measures,” a spokesperson for Alaska Airlines said in an emailed statement, adding that they’ve started “incorporating multi-factor authentication across our Atmos Rewards accounts.”

They also strongly advise people to use strong, unique passwords to protect themselves from hackers. Although this tip may sound obvious, multiple studies show that an alarming number of people still have unsafe password practices.

“As scams and cybercrimes continue to rise, initiatives like Connect Kākou are more important than ever. Not only are we expanding internet access across our state, but we are also working to ensure people know how to use the internet safely and effectively,” Luke said. “We encourage everyone to stay SAFE when navigating online spaces: Stop, Ask someone you trust, Fact-check, and Exit if unsure. It’s important that we look out for one another, especially our keiki and kūpuna.”

The Scale of Impact

The FBI’s 2024 Internet Crime Report ranks Hawaiʻi 14th among 57 U.S. states, districts and territories for cybercrime losses per capita. According to complaints filed with the bureau’s Internet Crime Complaint Center (IC3), the state’s government, residents and businesses lost an estimated $55 million because of cybercrimes that year.

But experts warn that the true financial toll is much higher than the data indicates. “Only about 15-20% of cybercrimes are formally reported,” says Howard Whitman, a cybersecurity consultant at Honolulu-based cybersecurity firm Cypac. Based on that estimate, the true economic impact in Hawaiʻi likely soared past $300 million in 2024.

Several factors deter victims from coming forward, including a lack of awareness, distrust of law enforcement, personal shame and fear of reputational damage. Whitman believes underreporting is especially prevalent in Hawaiʻi “because there’s such a heavy elderly population” who may be less inclined or able to report digital theft.

A senior executive at one of the state’s top financial institutions told Hawaii Business that cybercrimes are rising “exponentially.” The executive, who said the company is confident about its own cybersecurity measures, declined to be quoted by name, saying that to do so would invite potential hackers to try to target it.

With AI bots able to exploit corporate weaknesses in seconds, and as U.S. businesses and individuals come under increased cyberattack by global operatives in the wake of President Donald Trump’s war against Iran, the threats are only growing. None other than FBI Director Kash Patel has been hacked. Hours after an Iranian government-linked group posted documents online, the FBI confirmed in March that hackers had accessed Patel’s personal emails.

While those high-profile cases get a lot of attention, even small firms can become victims. Here are some examples:

In 2022, the Kaimana Beach Hotel narrowly escaped a $130,000 theft after a hacker called a front desk worker and impersonated a representative from the hotel’s IT firm. By convincing them that he needed to perform routine system maintenance, the scammer gained remote access to the hotel’s computers. According to law enforcement sources, the staff member quickly spotted a series of unauthorized credit card transactions totaling over $130,000. The employee immediately severed the connection, and a hotel spokesperson later confirmed that they successfully blocked the transfers, ensuring “no funds were lost.”

Hawaiian Airlines faced a significant cybersecurity event that compromised several of its internal IT systems in 2024. The airline maintained that flight operations and guest travel remained unaffected throughout the incident, but they still suffered reputational costs as a result of the breach.

In 2025, the Hawaiʻi Attorney General’s Office issued an urgent warning to local nonprofit organizations regarding the rise of fake check scams targeting nonprofits. In these schemes, fraudulent donors send counterfeit checks and then request an immediate partial refund. Because banks often make funds available before a check fully clears, many organizations fulfill these refund requests, only to discover days later that the original donation was counterfeit. Once the check bounces, the nonprofit is held legally responsible for the lost funds and associated bank fees.

Hawaiʻi’s healthcare sector and residents are still feeling the impact of the largest healthcare data breach in U.S. history that affected more than half the country. In February 2024, the hacking of Tennessee-based Change Healthcare’s network caused massive disruption to healthcare providers across the country due to the prolonged outage of its clearinghouse systems. Even though the UnitedHealth Group subsidiary paid $22 million in ransom, medical and other personal records for nearly 193 million people were compromised. The shock caused healthcare sector companies in Hawaiʻi and elsewhere to take steps to secure their own systems.

Photo: Getty Images

“A Corporate Culture of Cybersecurity”

Stan Emoto, a business development manager at Cypac, says that while IT companies are usually great at providing general technological assistance, “they might not be as up to speed on every single cyber security crime that comes through, which is what we see all the time” as specialists in the field.

In February, HR company ProService Hawaiʻi said it had partnered with Cypac to offer its clients cybersecurity benefits.

When Cypac is hired by a new business, Emoto says, they reassure existing IT administrators that the goal isn’t replacement, but reinforcement: “We’re not here to take over your job. We’re just here to complement what you do.” However, thwarting attacks requires vigilance across the entire organization, not just the tech department. Terence Tang, vice president of client strategy at Intech Hawaii, stresses that businesses need to have a “corporate culture of cybersecurity, because it starts at the top.” He says this initiative should be spearheaded by “internal champions,” ideally at the C-suite level.

Cybersecurity firms such as Cypac and Intech Hawaii provide a multi-layered defense. This includes 24/7 threat monitoring and the implementation of robust security strategies like multi-factor authentication and password management. They also train employees to recognize red flags and provide clear protocols for responding to potential threats.

“The number one threat protection is awareness,” says Tang. To keep pace with evolving tactics, he says Intech’s training programs require employees to complete a new curriculum every quarter that educates on the latest threats.

Beyond security, these partnerships ensure that businesses remain compliant with complex legal frameworks in healthcare, defense contracts and credit card payment processing among others. Failure to meet these standards can result in massive fines, even if a breach never occurs.

Red Flags

Al Ogata, president and CEO of CyberHawaii, a nonprofit he describes as dedicated to “building resilience in the business community and consumers against online threats,” says understanding the mechanics of these threats is the first step in building a robust defense. Here are some of the most common types of cybercrimes targeting businesses:

1. Phishing and Spoofing: These are deceptive practices where attackers masquerade as a trusted entity (like a bank, the DMV or a colleague at work) via email, text or phone calls to steal sensitive information. In the past, a telltale sign of phishing scams and other cyberattacks was spelling and grammar mistakes, but now cybercriminals can use AI to formulate well-written messages and even manufacture images that make them appear more legit.
2. Business Email Compromise: These are sophisticated scams targeting businesses that frequently perform wire transfer payments. The attacker compromises legitimate business email accounts to conduct unauthorized transfers of funds. Tang advises extreme skepticism regarding emails that pair unexpected requests with consequences, “especially if there’s some type of sense of urgency or there’s some emotional attachment to it.” In these cases, the best course of action is to “call the person” directly to verify the request.
3. Ransomware: Often the result of a successful phishing attack or business email compromise, ransomware is malicious software that encrypts a company’s data, holding it hostage until a ransom is paid. “We typically, like the FBI and other authorities, recommend not paying the ransomware for a variety of reasons,” says Whitman. Chief among these reasons is that payment provides no guarantee that the hackers will actually restore access to the files. Instead, victims should immediately report the incident to the FBI IC3 and consult with cybersecurity specialists who may be able to recover data from backups.

These three kinds of cyberattacks are just the tip of the iceberg. For more information on the variety of ploys used by cybercriminals and additional resources to protect your organization, visit tinyurl.com/2evphxfd.

Best Practices

A 2026 All About Cookies survey of 1,000 internet users found that 84% of respondents incorporate personal information such as birthdates in their passwords, making them easier for hackers to crack. The survey also found 50% of respondents reuse passwords across multiple online accounts, which can cause a single breach to spread like wildfire.

Once hackers obtain one password, they immediately test it across multiple platforms — email, banking, social media — which is why setting different passwords for every account is critical.

But keeping track of so many different passwords is tricky, so cybersecurity experts recommend using password managers, which are a secure, encrypted digital tool that generates and stores complex, unique passwords for all your online accounts. Whitman says “the key thing is just having to remember a strong master password” that grants you access to the password manager.

Multifactor authentication (MFA) is another essential safeguard, but “there’s certain versions of MFA that are better than others,” Ogata says. “The SMS text to the phone is the least safe of the approaches for MFA, because devices can be taken over and potentially stolen, or they can steal an eSIM, and then basically grab any kind of incoming SMS message.” He recommends using authenticator apps or biometric signals, which are much harder for hackers to intercept.

Most professional-grade password managers and MFA services are highly affordable, with monthly subscriptions usually priced around the cost of a single cup of coffee.

Photo: Getty Images

The Road to Recovery

If a business falls victim to cybercrime, the response must be swift and organized. Experts recommend taking these measures: disable the compromised accounts and change all passwords immediately to prevent further infiltration; notify your carrier immediately if you have cyber insurance; save all logs, emails and screenshots. Do not “wipe” systems until forensic experts have gathered the necessary evidence.

Regardless of whether your business has cyber insurance, contact the right authorities following a cybercrime: “If it’s a financial scam involving a credit card, get the credit card company involved right away. If it’s a bank account, get the bank involved right away,” Ogata advises. He notes that if the FBI is notified within 72 hours of a wire transfer crime, they often have the ability to “claw money back.” While they may not recover the full amount, quick action provides the best chance for financial restitution.

Having cyber insurance can help victims of cybercrimes recover their losses, but “just because you have cyber insurance doesn’t necessarily mean that the cyber insurance company will pay on that cyber claim” because there are “requirements that must be met in order for them to make a payment on that policy,” Whitman explains. Cybersecurity specialists can help ensure businesses meet their policy stipulations.

Many free and inexpensive lines of defense include staying informed about emerging digital threats, maintaining unique passwords for every account and enabling multi-factor authentication. In today’s landscape it is no longer a question of if you will be targeted, but when.