HPE’s Aruba networking unit hit by cyber attack
Aruba Central is the supplier’s flagship cloud product, which enables IT teams to manage and optimise their campus, branch, remote, datacentre and internet-of-things networks from a single dashboard.
Aruba describes the service as having “robust security” but nevertheless, an undisclosed threat actor was able to obtain an access key that gave them access to two data repositories, Network Analytics and Contact Tracing, containing a “limited subset” of information that the firm classifies as customer personal data.
The data included identifying device media access control (MAC) addresses, IP addresses, device operating systems type and hostnames, and user names for Wi-FI networks where authentication is used, as well as dates, times, and physical Wi-Fi access points (APs) to which devices connected.
This data could easily be used to determine a user’s location, which is potentially of use for targeted follow-on cyber attacks. The data is not, however, deemed to be sensitive or special category under the General Data Protection Regulation (GDPR).
An HPE spokesperson told Computer Weekly: “On 2 November, HPE discovered that an access key to data related to the network analytics and contact-tracing features of Aruba Central, our cloud-based network management and monitoring solution, was compromised and used by an external actor to access the environment over a period of 18 days between 9 and 27 October 2021.
“The access key was decommissioned on 27 October as part of regular security protocols, and the environment is secure. No sensitive personal data was exposed.
“HPE takes data privacy and security very seriously and has notified all impacted customers. We have launched a full investigation into this incident and are taking appropriate remediation actions to prevent another incident of this type.”
The firm said extensive analysis by its engineers had determined that only a “very small amount” of data, “if any at all”, had been viewed or exfiltrated. This is because the usage records of the compromised repositories indicate the vast majority of activity during the relevant period to have been authorised, with the unexplained activity described as “negligible”.
Also, the data is purged on a rolling 30-day basis, so given the attack timeframe, only records dating back to early September were stored in the compromised buckets.
However, at this stage of its investigation, Aruba has been unable to determine which customers may have had their data stolen. This is because the data repositories are used for streaming high-volume machine learning data used to power the Aruba Central AI Insights network analysis feature, so individual file access within them is not logged.
Aruba said it was now making “systematic enhancements” to its access key policies and management tools, and speeding up the timeline of an ongoing internal project to reduce the use of such keys in favour of a more comprehensive identity and access management (IAM) setup.