Getty Images/iStockphoto
Aruba Central breach exposed customer data
HPE-owned Aruba Networks said one of its cloud databases was accessed by hackers who were able to make off with location and telemetry data for its customers' Wi-Fi gear.
Aruba Networks said it suffered a network breach that resulted in the loss of customer location data.
The HPE-owned networking vendor announced in an FAQ document this week that from Oct. 9 to Oct. 27, an outside attacker was able to access the database used to hold telemetry and location data for customers who were using the Aruba Central management service for their Wi-Fi gear.
Most notably, the stolen data included information from the contact tracing service Aruba offers its customers.
"The customer personal data in the exposed data repositories consists of device media access control (MAC) address, IP address, device operating system type and hostname, and, for Wi-Fi networks where authentication is used, the username," HPE and Aruba told customers.
"The data repositories also contained records of date, time and the physical Wi-Fi access point where a device was connected, which could allow the general vicinity of a user's location to be determined."
According to HPE and Aruba, the attacker was able to break into the database through the use of a stolen access key that also allowed stored data to be decrypted. The company told SearchSecurity that it does know how the key was obtained, but it would not elaborate.
HPE noted that the key was automatically turned off on Oct. 27 as part of its routine security procedures. In fact, the company said it was only on Nov. 2, six days after the key was deactivated, that the breach was discovered and reported.
"Security monitoring tools deployed inside the Aruba Central environment alerted our Security Operations team to suspicious activity," the company said in its FAQ.
"The team investigated the activity and on Nov. 2, 2021 concluded that it had been unauthorized."
The FAQ was notably thin on details in several areas. For example, the Aruba team said it believes the exfiltrated customer data is limited to a " very small amount, if any at all." But the company cannot even say which specific customers had their information lifted, or what files were accessed and when. The company said it does not enable logging for individual file access for these Aruba Central repositories – even though they contain customer data because – because the repositories are "used for streaming of high-volume machine learning data."
While the lost data may not in itself pose a massive security risk in terms of launching additional attacks, the physical telemetry and location data of Aruba Central users could be used, particularly when as of right now nobody knows who exactly was exposed and what files were viewed by the intruder.
Aruba said that as no actions are currently required by customers and there is no need to change any passwords or other account settings.
