Aruba Central Security Incident
Frequently Asked Questions
Q: What happened?
A: HPE/Aruba became aware that an access key which provided access to a limited subset of information held in the Aruba Central cloud environment was used by an unauthorized external actor. The data repositories exposed to the external actor contained information classified as "Customer Personal Data" under our Data Privacy and Security Addendum and as a result, we are notifying customers of the incident.
Q: Which data repositories were exposed?
A: One dataset ("network analytics") contained network telemetry data for most Aruba Central customers about Wi-Fi client devices connected to customer Wi-Fi networks. A second dataset ("contact tracing") contained location-oriented data about Wi-Fi client devices including which devices were in proximity to other Wi-Fi client devices.
Q: What was the Customer Personal Data?
A: The Customer Personal Data in the exposed data repositories consists of device Media Access Control (MAC) address, IP address, device operating system type and hostname, and, for Wi-Fi networks where authentication is used, the username. The data repositories also contained records of date, time, and the physical Wi-Fi access point where a device was connected, which could allow the general vicinity of a user's location to be determined. The environment did not include any sensitive or special categories of personal data (as defined by GDPR).
Q: Does a MAC address uniquely identify a user or device?
A: Sometimes. Many operating systems include a "MAC address randomization" or "Wi-Fi Privacy" feature which uses a different MAC address each time the device connects to a Wi-Fi network. This breaks the persistent association between a MAC address and a specific device.
Q: Does a Wi-Fi username uniquely identify a user or device?
A: Sometimes. Many Wi-Fi networks managed by Aruba Central employ "open" or "pre-shared key authentication" (a.k.a WPA2-PSK or WPA2-Personal). Those types of networks do not make use of usernames, and so this field would be blank in the Aruba Central records. If Wi-Fi authentication (a.k.a. WPA2-Enterprise) is used, the username field format is chosen by each Aruba customer. It could contain random text, an email address, an Active Directory username, or other customer-chosen identifier.
Q: How much data was exfiltrated?
A: We believe a very small amount, if any at all. Aruba engineers have analyzed the usage records of the exposed repositories and have correlated those records with known, authorized activity. The remaining unexplained activity represents a negligible proportion of all the data stored in the repositories. This lets us state definitively that the unauthorized actor did not view, download, or transfer out of the repositories any significant amount of data.
Q: Was my specific data exfiltrated?
A: Unfortunately, we cannot determine this. Because these data repositories are used for streaming of high-volume machine learning data, we do not log individual file access within these repositories. Through traffic volume accounting, we have concluded that unauthorized access, if any, is limited to a small fraction of overall data, but we do not know which specific files or which specific customers might be part of that activity.
Q: If you are not sure my data was accessed, why are you notifying me?
A: Aruba and HPE's Data Privacy and Security Addendum and the GDPR require us to notify customers of a breach of security leading to unauthorized access to Customer Personal Data. Because an unauthorized external actor was in possession of a key that may have provided access to your data, we are required to notify you, regardless of whether your data was accessed.
Q: What does Aruba use this data used for? Why is it collected?
A: The network analytics data feeds machine learning algorithms that power the Aruba Central "AI Insights" feature. The feature analyzes network behavior and performance and makes predictive recommendations to network administrators. The contact tracing data powers Aruba's Contact Tracing service.
Q: My data is stored in a specific country to meet local privacy regulations. Was Aruba storing my data improperly, in a different region?
A: No. The data was stored in multiple buckets, located in multiple regions corresponding to the location of the Aruba Central cluster. The external actor was in possession of an access key which provided access to buckets in multiple regions.
Q: In what format was the data stored? Was it plain text?
A: The data was stored in Apache Parquet format, not in plain text. A schema file is required to convert records to plain text and was available to the external actor.
Q: Were all customers of Aruba Central affected?
A: No. Aruba Central consists of a number of different clusters. Some clusters are multi-tenant and some are private. Customers with private clusters will be contacted directly to discuss their exposure, if any. Of the multi-tenant clusters, the China and UAE clusters were not exposed as the access key was not valid for those clusters.
Q: I subscribed to the Contact Tracing service but my network isn't managed by Aruba Central. Am I impacted?
A: Yes. Data for the Contact Tracing service is collected by on-premise AirWave appliances and sent to a processing service hosted within Aruba Central.
Q: I manage my network using AirWave. How do I know if I subscribed to the Contact Tracing service?
A: Customers who manage their networking using an on-premise AirWave appliance could choose to sign up for the Contact Tracing service. To do this, they would have created an Aruba Central account, signed in, and followed several configuration steps which included installing software on the AirWave appliance to upload client network tables to Aruba Central. If you did not perform these steps, you have not subscribed to the Contact Tracing service.
Q: How did HPE become aware of the incident?
A: Security monitoring tools deployed inside the Aruba Central environment alerted our Security Operations team to suspicious activity. The team investigated the activity and on November 2, 2021 concluded that it had been unauthorized.
Q: Does HPE have a dedicated cloud security operations team and security processes?
A: Yes. The cloud security operations team consists of experts in cloud computing platforms, cloud workload orchestration, and the security of those environments. This team was responsible for creating and deploying the monitoring tools that discovered the unauthorized access.
Q: What actions did HPE take after it became aware of the incident?
A: When HPE became aware of the incident, the access key in question had already been decommissioned and rotated on October 27, 2021 as part of regular security practices, so the unauthorized actor had no further access using the key after that date. HPE searched all Aruba Central logs to determine if additional keys were being used in an unauthorized way. The Security Operations team activated its data breach incident response plan, notifying various Security, Legal, and Privacy functions inside HPE.
Q: How long did the unauthorized actor have access to the data?
A: The first use of the access key was on October 9, 2021. The key was automatically decommissioned and rotated on October 27, 2021, as part of regular security protocols, invalidating the old key.
Q: How old was the data stored in the exposed data repository?
A: Data is automatically purged from these buckets after 30 days. During the time window from October 9 until October 27, records dating back to September 10, 2021 would have been inside the repositories.
Q: Does this mean that data related to any users that connected to my network prior to Sept 10, 2021 is not part of the repository?
A: That is correct.
Q: I only have Aruba switches that are managed by Aruba Central. Am I impacted?
A: No. The incident only affects data collected from Wi-Fi networks.
Q: Was the data encrypted in the environment?
A: Yes. However, the stolen access key had permission to use the decryption key.
Q: What remediation actions have been taken?
A: We are making systematic enhancements to our policies and tools for handling access keys to prevent another incident of this type. The Aruba Central team is accelerating an existing project to minimize the use of access keys in favor of Identity and Access Management (IAM) features of the cloud platform. Any keys used outside the environment will be subjected to stricter policies and more in-depth monitoring.
Q: Was there a vulnerability in Aruba Central that was exploited?
A: No. The external actor did not access the data repositories through the Aruba Central application. There was no vulnerability involved in the incident.
Q: Does HPE have any information about the possible identity of the external actor?
A: Not at this time.
Q: Does Aruba Central hold sensitive personal data as defined by GDPR and other privacy laws?
Q: Has HPE made any notifications to data protection regulators?
A: No. Any personal data in Aruba Central belongs to our customers and HPE processes it on their behalf in order to provide the services as a data processor. HPE is obligated to notify customers of a breach of security leading to unauthorized access and customers can determine if they need to make any regulatory disclosures.
Q: Are there any other actions I need to perform?
A: There are no other technical actions required. Security-sensitive information was not compromised. There is no need to change passwords, change keys, or alter network configuration.
Q: What if I have further questions?
A: If you have further questions, please contact your Aruba Sales account executive or email us at firstname.lastname@example.org.