Aruba Networks said it suffered a network breach that resulted in the loss of customer location data.
The HPE-owned networking vendor announced in an FAQ document this week that from October 9 to October 27, an outside attacker was able to access the database used to hold telemetry and location data for customers who were using the Aruba Central management service for their Wi-Fi gear.
Most notably, the stolen data included information from the contact tracing service Aruba offers its customers.
“The Customer Personal Data in the exposed data repositories consists of device Media Access Control (MAC) address, IP address, device operating system type and hostname, and, for Wi-Fi networks where authentication is used, the username,” HPE and Aruba told customers.
“The data repositories also contained records of date, time, and the physical Wi-Fi access point where a device was connected, which could allow the general vicinity of a user’s location to be determined.”
According to HPE and Aruba, the attacker was able to break into the database through the use of a stolen access key that also allowed them to decrypt the stored data. The company told SearchSecurity that it does know how the key was obtained, but it would not elaborate.
HPE noted that the key was automatically turned off on October 27th as part of its routine security procedures. In fact, the company said that it was only on November 2, six days after the key was deactivated, that the breach was discovered and reported.
“Security monitoring tools deployed inside the Aruba Central environment alerted our Security Operations team to suspicious activity,” the company said in its FAQ. “The team investigated the activity and on November 2, 2021 concluded that it had been unauthorized.”
The FAQ was notably thin on details in several areas. For example, the Aruba team said it believes the exfiltrated customer data is limited to a ” very small amount, if any at all.” But the company cannot even say which specific customers had their information lifted, or what files were accessed and when. The company said it does not enable logging for individual file access for these Aruba Central repositories – even though they contain customer data because – because the repositories are “used for streaming of high-volume machine learning data.”
While the lost data may not in itself pose a massive security risk in terms of launching additional attacks, the physical telemetry and location data of Aruba Central users could be used , particularly when as of right now nobody knows who exactly was exposed and what files were viewed by the intruder.
Aruba said that as of right now, no actions are required by customers and there is no need to change any passwords or other account settings.