Attack on Aruba, what really happened. No data was stolen

At the end of April, Aruba forced a password change for many of its customers. An operation, this, which is usually done when something did not go as it should go.

Yesterday, after a few months, Aruba sent a communication to all customers explaining what had happened: there had actually been a cyber attack. The text of the communication is this.

Dear Customer,

we wish to inform you that on 23 April we detected and blocked unauthorized access to the network that hosts some of our management systems, but no data has been deleted or altered.

We also specify that no system of production and delivery of our services has been involved, as they are completely separate.

We immediately implemented a series of internal and external measures including informing the Police and the Guarantor for the Protection of Personal Data. At the conclusion of all our analyzes, we felt it was our duty to inform you of the incident even if no action was required on your part.

We attach great importance to IT security and make huge investments in technology, tools and organization, but in this circumstance we have not been able to prevent the event. Unfortunately, this is a very special period, in which cyber attacks, increasingly sophisticated, are on the rise and are hitting companies and public and private organizations of all levels globally.

More information below:

The data present in the systems concerned, whose integrity and availability have not been impacted in any way, are the billing data (name and surname, tax code, address, city, postcode, province, telephone, email address, PEC address) and authentication data to the customer area, such as login and password, the latter protected by strong encryption, and in any case promptly disabled, therefore in any case unusable.

The payment data (eg credit cards), nor the customer services (eg hosting, cloud, email, PEC …) and all the data contained therein were not affected in any way.

The disabling of passwords to access the customer area was performed without notice as per standard security procedure. We are sorry if this may have caused you some inconvenience, but it has allowed us to eliminate any kind of risk, even if potential. If you have not already reset your password following the event, the system will ask you to choose a new one the first time you access the customer area. We remind you that there is no urgency to complete the operation, as the system is already safe.

As a further precaution also in order to defend against common digital scams, we recommend that you:

  • always choose different passwords for each service used and change them periodically;
  • pay particular attention to emails or certified e-mails of dubious origin or whose content should generate suspicions;
  • if the content of an email seems suspicious, unexpected or the sender is unknown, avoid clicking on the links and do not download the attachments;
  • keep in mind that Aruba personnel never ask via email, SMS or telephone to communicate their credentials to access the services (username / password) or the references of their electronic payment methods (eg credit card number or PayPal account).

We confirm that no action is required on your part, we apologize for the incident and remain available for further information or clarifications at [email protected]

We took some time to deal with this news because we wanted to make sure we understand what really happened. The first thing to say is that communication it was sent by Aruba to all customers by voluntary decision.

Let’s talk about an attempt because reading between the lines one might think that some personal data that Aruba indicates as “name and surname, tax code, address, city, postcode, province, telephone, email address, certified e-mail address”Have been stolen by someone, in reality it turned out that Aruba has only suffered unauthorized access however was promptly blocked by the Incident Response Team.

The incident was immediately reported to the Postal Police and the Guarantor for the Protection of Personal Data, was subject to in-depth analysis, further monitoring, identification and classification of other possible threats, with a synergistic and cooperative approach between staff specialized in Aruba and some external specialists in the Cyber ​​Threat Intelligence field. “the company explained to us.

During all the analyzes carried out in recent months, “the way of access”: someone managed to enter a server by exploiting a vulnerability in a third-party CMS used by Aruba to manage the content of the user guides for products and services for customers. In fact, a management server was attacked with some data inside.

In recent months, Aruba has not only used consultants and made a very detailed analysis of the accident, but an intelligence operation was also carried out both on the web and on the darkweb to understand if somehow some data could have been stolen, to confirm what the analyzes reported: there appears to have been no copy and no access to the data.

The monitoring of each “illegal” channel completely excluded the presence, after months, of some data or even of people who tried to sell any data, and this, together with all the documentation, was enough to declare the accident.

Moreover, in recent months Aruba has not received any contact requests from those who would have attacked them (hackers, cyber criminals, …) either for extortion or other purposes. “The conclusion of these analyzes and monitoring gave us the certainty that the data in our systems have not been impacted in any way in their integrity and availability, and have not been taken.”Aruba told us.

The company also told us why it changed passwords in late April. “As per the security protocol, a series of precautionary measures were immediately adopted, including the raising of all levels of sensitivity of our security software tools and threats intelligence. As a further form of precaution, and despite being already protected by strong encryption, we have chosen to disable all passwords for access to the customer area without notice. We were aware that this sudden action could immediately cause inconvenience to some of our customers – and we can now apologize for this – but the timing has allowed us to eliminate any kind of potential risk..”

After two days they couldn’t know what turned out after two months of investigation, and they couldn’t take any risks. The most immediate route was therefore chosen, which caused some discomfort.

Perhaps the communication sent to customers was not very clear at some point: it would have been enough to insert the sentence above: “The conclusion of these analyzes and monitoring has given us the certainty that the data in our systems have not been impacted in any way in their integrity and availability, and were not taken.

In any case, in a period where attacks are more and more frequent, and those that go well are frequent, this is all in all good news. Aruba customers can breathe a sigh of relief.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.