HPE on Wednesday disclosed to its customers that an access key that provides entry to a limited amount of data held in the Aruba Central cloud environment was used by an unauthorized — and still unknown — threat actor.
In an FAQ posted on the incident, HPE said it had confirmed the unauthorized access on Nov. 2. The investigation found that the first use of the access key was on Oct. 9 and the key was later decommissioned and rotated as part of the company’s standard security protocols on Oct. 27, a few days before HPE became aware of the incident.
According to HPE, one dataset contained network telemetry data for most Aruba Central customers about Wi-Fi clients connected to customer Wi-Fi networks. A second dataset consisted of location data about Wi-Fi clients, including which devices were in proximity to other Wi-Fi clients. The customer personal data in the exposed data repositories consisted of device MAC addresses, IP addresses, device operating system types and hostnames, and for Wi-Fi networks where authentication is used — the user name.
HPE said while it was confident there was limited exposure and no sensitive data was lost, the company was bound to report the incident to customers under its own corporate policies and the GDPR regs.
While we don’t always understand the motivations of hackers, especially when the profit motive isn’t inherent, this may simply be a prelude to a more comprehensive ransomware or other type of attack, said Saryu Nayyar, CEO of Gurucul.
“This could have been found and remediated using monitoring, logging, and analytics, but 18 days is enough time to have done some damage if they had a mind to [do something],” Nayyar said.
John Bambenek, principal threat hunter at Netenrich, added that while this breach will probably not pose a huge risk for data misuse, it may prove valuable for those who want to attack HPE further.
“The event serves as a reminder that secrets (or access keys) remain a very weak link in the chain of enterprise security,” Bambenek said. “By necessity, many people may have them and they are not often managed with the same scrutiny passwords are, even though they serve the same basic function.”
Hank Schless, senior manager, security solutions at Lookout, said this incident underscores the importance of security teams ensuring that all their cloud access keys are encrypted and properly secured. In doing so, companies can mitigate the risk of a threat actor obtaining a key and being able to watch traffic between the company’s cloud apps and customers.
“Encrypting and securing keys can be done internally, but also with a trusted partner,” Schless said. “If you have a multinational presence, it also makes sense to store them in-region with local data hosting. Some security vendors offer customers the ability to store their own keys, rather than the vendor storing those keys themselves. You may want to do this if you’re working with an international vendor and need to ensure alignment with local data privacy standards like GDPR or CCPA.”