If you are a user Aruba, you can also be involved in the data breach of 23 April. Aruba itself is communicating it to all its users: “billing personal data and login data are displayed “. But if the latter were immediately disabled, those personal data can lead to massive scams to the users involved, as the company warns and as is usual in all cases of data breach.
A communication that, in addition to starting a phishing alarm now, is drawing criticism from privacy experts.
Aruba has informed Cybersecurity360.it that the cause is a vulnerability of a third party software.
Aruba data breach, the company’s communication
The email has been sent to everyone; only users who have undergone data exposure have been sent a specific email asking them to change the authentication data.
Data protection: are you sure you have an effective strategy? Find out in the Quiz
Aruba, the well-known hosting company, begins in the email saying that it has “blocked unauthorized access to the network that hosts our management systems, but no data has been deleted or altered”.
With this beginning of the mail one would be tempted to stop reading reassured, but the real news is only at the end.
The “exposed” data
The data present in the affected systems is said to be:
“The billing data (name and surname, social security number, address, city, post code, province, telephone, email address, PEC address) and the authentication data to the customer area, such as login and password, the latter protected by strong encryption, and in any case promptly disabled, therefore in any case unusable. Payment data (eg credit cards) or customer services (eg hosting, cloud, email, certified e-mail…) and all the data contained therein were not affected in any way “.
The company obviously informed the police but also the Guarantor for the protection of personal data; this last notice confirms that the data – despite the reassuring debut of the email – have in fact been violated.
Data exposed, not stolen: Aruba’s location
Aruba explains to us that the data was only read by an access that they closed immediately. And in these months of investigations, since April, there has been no evidence of theft (nothing on the dark web, no ransom demand).
The communication arrived months later just to investigate the fact; they add that since there was no theft, they were not required to report it.
“Today as today, if a data is exposed it is also stolen”, says Claudio Telmon, cyber expert at P4I and Clusit, “except for incredible blows of luck”.
“If the data are exposed and not copied, it means that the data were publicly accessible online, but they did not find evidence of access”, adds Alberto Pelliccione, CEO of Reaqta. “The communication, however, speaks that the data have not been impacted in their integrity and availability, this only means that they have not destroyed or made them unavailable, not that they have not accessed them”, he adds.
What the user has to do
Those who have only received this email must do nothing, except reflect on the fact that “unfortunately this is a very special period, in which cyber attacks, increasingly sophisticated, are on the rise and are hitting companies and public organizations globally and private of every level ”, as we read. This is why despite “we attach great importance to IT security” and make “huge investments in technology, tools and organization”, “we have not been able to prevent the event”, we read again.
This regret also confirms the data breach that took place.
So be careful if we are Aruba users to communications arriving or arriving (we also check spam). We can perhaps find confirmation that our data has been stolen and that it is necessary to change the password.
As in all cases of data breach, one of the consequences is that you give yourself more tools to do phishing targeted and personalized thanks to stolen data.
Confirm to our newspaper Salvatore Lombardo, cyber security expert and Clusit member: “the incident will almost certainly give cyber crime the opportunity to exploit the data exposed (name and surname, social security number, address, city, postcode, province, telephone, email address, PEC) to set up various forms of phishing (smishing, vishing) and implement social engineering strategies against the users concerned “.
“Requests for an immediate response, impending deadlines and threats to disable a service are the most common methods used by scammers to try to trick users into computer traps that mimic Aruba communications.”
If we are Aruba users, then pay attention to the emails that seem to come from Aruba (or from other subjects) and that seem to know us very well. But given that sooner or later almost all companies (including the big names in social networks) have suffered data breaches, this advice is valid in a universal sense.
I have. Mobile confirms partial data theft, free sim change: here’s what to do against scams
Aruba, criticism of data breach communication
Finally, there are doubts about Aruba’s communication. Diego Dimalta, privacy expert lawyer, talks about it at Cybersecurity360.it
“There are two problems, timing and transparency. Timing, because it is not acceptable that a company, after undergoing a data breach, communicates it with a delay of almost three months. In these three months, customers could have adopted solutions to mitigate any damage but Aruba’s delay did not allow it. The other problem is transparency ”.
“The communication sent, in fact, must be read between the lines. They say what didn’t happen but they blur what happened instead. They say that integrity and availability have not been affected, does it mean that confidentiality has failed instead? Then it had to be written clearly. They say they blocked an access, but what was the one who entered the systems doing? How long had the system been hacked? “
The theme of the role of customers
“Another aspect concerns the role of customers”, continues Dimalta.
“Yes, because the Aruba customer is not always a simple interested party, he is often a data controller (and Aruba data processor). In similar cases, then the owner should have started the data breach procedure warning the Guarantor and customers, but with this late communication the risk is that this is not useful for the protection of the interested parties. In short, it had to be managed better and faster ”.
A previous version of the article spoke of “stolen” data because usually the exposed data is also stolen, as many experts comment. We have changed by incorporating the position of Aruba
Contract management and GDPR: guide to the outsourcing of personal data activities
@ALL RIGHTS RESERVED