HPE revealed that the data repositories for its Aruba Central network monitoring platform have been compromised, allowing a threat actor to access data collected on monitored devices and their locations.
Aruba Central is a cloud networking solution that allows administrators to manage large networks and components from a single dashboard.
HPE today revealed that a threat actor obtained an “access key” that allowed them to view customer data stored in the Aruba Central environment. The threat perpetrator was logged in for 18 days between October 9, 2021 and October 27, when HPE revoked the key.
The exposed repositories contained two datasets, one for network analysis and the other for Aruba Central.Contract tracking‘characteristic.
“One dataset (” network analytics “) contained network telemetry data for most Aruba Central customers on Wi-Fi client devices connected to the customer’s Wi-Fi networks. A second set of data (” tracking contacts “) contained location data on Wi-Fi client devices including devices that were in close proximity to other Wi-Fi client devices,” explains an Frequently asked questions about central Aruba about the security incident.
The network analytics dataset exposed in these repositories included MAC addresses, IP addresses, operating systems, host name, and, for authenticated Wi-Fi networks, a person’s username.
The contract tracking dataset also included the date, time, and Wi-Fi hotspots that users were connected to, potentially allowing the attacker to track the general proximity of users’ location.
“The data stores also contained records of the date, time, and physical Wi-Fi access point to which a device was connected, which could help determine the general proximity of a user’s location. The environment did not include sensitive or special categories. of personal data (as defined by the GDPR), “reads the FAQ.
Because the HPE FAQ mentioned the word “bucket” several times, it is likely that a threat actor has obtained the access key for a storage bucket used by the platform.
After investigating the breach, HPE concluded that:
- No more than 30 days of data has been stored within the environment at any one time, as data in the network analytics and contact tracking capabilities of the Aruba Central environment is automatically deleted every 30 days.
- The environment included personal data, but no sensitive personal data. Personal data includes MAC addresses, IP addresses, device operating system type and host name and some usernames. The contact tracking data also included the users’ access point (AP) name, proximity, and duration of connection to that AP.
- The likelihood that your personal data has been accessed is extremely low, based on an in-depth analysis of access and traffic patterns.
- Security-sensitive information has not been compromised, so we don’t believe it is necessary to change passwords, change keys, or alter network configuration.
HPE says they are changing the way they secure and store access keys to prevent future incidents.
Bleeping Computer has contacted HPE for more information on the breach and will update the article if we receive a response.
Thanks to John for the tip!