Threat actor breaches HPE's Aruba Central via data repository access key

Dive Brief:

Hewlett Packard Enterprise disclosed that unknown third-party threat actors gained access to a limited number of data repositories containing customer personal data in its Aruba Central cloud environment through an access key, according to a company post.
One dataset included network telemetry data about Wi-Fi devices connected to customer Wi-Fi networks, while the second had location-oriented data about Wi-Fi client devices, including information on proximity to other Wi-Fi client devices.
The threat actor gained entry through the access key from Oct. 9 through Oct. 27, when the key was decommissioned and rotated, which invalidated the old key, according to the company. The repositories included information dating back to Sept. 10, according to the company.

Dive Insight:

HPE officials became aware of the incident through security monitoring tools deployed inside the Aruba Central environment. After an investigation, they determined on Nov. 2 that the breach was not authorized.

"The external actors did not access the data repositories by way of a vulnerability in the Aruba Central platform," said Adam Bauer, director, issues management and policy communications at HPE, said via email. "We take the security of our customers’ data extremely seriously and it was HPE’s own monitoring tools that alerted our Cloud Security Operations Team to this unauthorized access in a timely manner."

The customer data included device Media Access Control address, IP address, device operating system type and hostname, as well as the username for Wi-Fi networks where authentication is used, Bauer said, noting that sometimes that information can be used to identify individual users or devices.

The data repositories also contained records including date, time and the physical Wi-Fi access point where devices were connected, which could be used to get general vicinity of a user’s location, according to Bauer.

"The environment did not include any sensitive or special categories of personal data as defined by GDPR," Bauer said. "There’s no evidence that the information that the data involved could be used to gain access credentials to other systems."

The wireless networking provider is making "systematic enhancements" to its policies and tools for handling access keys in order to prevent a similar incident in the future, Bauer said. The Aruba Central team is accelerating an existing project that will minimize the use of access keys in favor of Identity and Access Management features of the cloud platform, according to Bauer.

Hewlett Packard originally acquired Aruba Networks in 2015 in a deal valued at $3 billion. Aruba Central provides analytics and other tools to help companies manage their networks.

Cloud infrastructures have become an increasingly frequent target of threat actors as more and more workloads have moved there since the beginning of the pandemic. Late last month, researchers from Mandiant disclosed that the threat actor behind the SolarWinds supply chain attack was targeting cloud service providers to gain access to their customers.

"This incident highlights the importance of robust encryption key management procedures," Tom Croll, senior research director at Gartner,said via email. "Encrypting data is no guarantee of data security if attackers gain access to the encryption keys themselves."

By 2023, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services, which is up from 40% in the year 2020, according to research from Gartner. The firm also says by 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users.