HPE-owned Aruba has disclosed that an access key to the data repositories for their Aruba Central network monitoring platform was compromised, allowing an unauthorized external threat actor to access the subset of information.
Internal security monitoring tools installed in the Aruba Central environment discovered a suspicious activity and alerted the Security Operations team. On further investigation, the team inferred that the access was unauthorized and affirmed the breach on November 2, 2021.
Aruba detailed the breach, stating that it exposed the data repository; one dataset (“network analytics”) contained network telemetry data for most Aruba Central customers about Wi-Fi client devices connected to customer Wi-Fi networks. A second dataset (“contact tracing”) contained location-oriented data about Wi-Fi client devices, including which devices were in proximity to other Wi-Fi client devices.
“The Customer Personal Data in the exposed data repositories consists of device Media Access Control (MAC) address, IP address, device operating system type and hostname, and, for Wi-Fi networks where authentication is used, the username. The data repositories also contained records of date, time, and the physical Wi-Fi access point where a device was connected, which could allow the general vicinity of a user’s location to be determined. The environment did not include any sensitive or special categories of personal data (as defined by GDPR),” Aruba said.
On deeper analysis of the usage records of the exposed repositories with authorized activity, Aruba engineers discovered a small data pool to be affected.
“This lets us state definitively that the unauthorized actor did not view, download, or transfer out of the repositories any significant amount of data,” states Aruba.
I’m sorry @HPE @ArubaNetworks but this is the sorriest breach disclosure I’ve ever seen. You don’t consider physical location + username personal info?
“Q: How much data was exfiltrated?
A: We believe a very small amount, if any at all”
You don’t know?https://t.co/EPOhzDisHU
— JJ (Jennifer Minella) (@jjx) November 10, 2021
Action – Key Revoked
When the incident was discovered, HPE had already decommissioned and rotated the access key in question on October 27, 2021, as part of a regular security exercise. As a result, the threat actor had no further access using the key after that date. HPE then ran a search of all Aruba Central logs to establish any additional unauthorized usage of the keys.
“The Security Operations team activated its data breach incident response plan, notifying various Security, Legal, and Privacy functions inside HPE,” said Aruba.