Cyber Incident Victim: Hewlett Packard Enterprise
Date:
Oct 2021
Location:
United States of America
Summary
Hackers breached a cloud-based network monitoring platform operated by Hewlett Packard Enterprise by stealing an access key, gaining unauthorized access to customer data repositories for approximately 18 days. The compromised datasets included network telemetry details such as MAC and IP addresses, device hostnames, operating systems, and usernames for authenticated Wi-Fi networks, alongside contact tracing information revealing device proximity, connection durations, and physical access point identifiers that could infer users' general locations. The company revoked the compromised key and initiated changes to access key management protocols to prevent recurrence, noting that no sensitive personal data categories under GDPR were exposed in the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 9, 2021, threat actors gained unauthorized access to Hewlett Packard Enterprise’s Aruba Central cloud networking platform by exploiting a stolen access key. The compromised environment contained two primary datasets: network analytics and contract tracing information collected from customer Wi-Fi networks managed through Aruba Central. The platform serves as a centralized dashboard for administrators overseeing large-scale network operations, including device monitoring and configuration. Attackers maintained persistent access for 18 days until HPE revoked the compromised key on October 27, 2021. The network analytics dataset exposed technical identifiers such as MAC addresses, IP addresses, hostnames, device operating systems, and—for authenticated Wi-Fi networks—individual usernames. The contract tracing dataset revealed additional location-centric details, including timestamps, Wi-Fi access point names, proximity records between devices, and connection duration metrics. This combination of data enabled potential tracking of users’ general physical locations based on access point associations, though HPE clarified the repositories contained no GDPR-defined sensitive or special categories of personal data.
The breach impacted telemetry and contact tracing records for most Aruba Central customers, exposing patterns of device interactions and network usage across monitored environments. HPE publicly disclosed the incident on November 10, 2021, confirming the attacker’s access was limited to data viewing and did not extend to modifying configurations or exfiltrating complete datasets. Analysis indicated the access key theft occurred external to Aruba Central’s infrastructure, though HPE did not specify the exact exfiltration method. In response, the company implemented changes to access key storage and protection mechanisms to prevent similar compromises. No evidence suggested customer networks themselves were breached or that the attacker leveraged exposed data for further intrusions. The incident highlighted risks associated with centralized cloud management platforms storing aggregated client device information, particularly location-tracking features designed for operational analytics.