Emails were sent yesterday to inform Aruba customers of a breach of confidentiality of their data. The company, which had already informed both the Postal Police and the Guarantor for the protection of personal data, after two months of monitoring and analyzing its effects, decided to individually inform the users concerned that it had “blocked unauthorized access” to its database, forcing them to reset access passwords.
The event dates back to April 23 and does not seem to have had obvious consequences for now. However, it is an event to be monitored, given that Aruba, together with Infocert, is the largest provider of digital identity and certified mail in the country, an industrial reality that supplies most of the Italian public administrations through Consip and offers hosting, cloud and virtual machines. also to individuals and companies, is an Italian giant in the sector that has just entered the optical fiber sector in partnership with Open Fiber.
Bergamo
Minister Colao visited the Aruba data center in Ponte San Pietro
According to the company’s technicians, the exposure of customer data did not impact the normal functioning of the services and “there was no damage to the integrity and availability of the data”, even if it was a real attack. own. Someone has had access to the data and has been able to “read” them, in jargon we speak of loss of confidentiality: there is someone else who knows data that should remain reserved for the transactions that you have decided to have. But technically, what happened? Is it a software defect, a malware, a human error? Contacted by us, the managers of Aruba stated that the attacker found a crack in a third-party software (once again a supply chain problem, as for Kaseya and SolarWinds), which serves to publish the Aruba guides on ” use of its services by users, using a web page that the company publishes as an archive.
However, in a private note obtained by Italian Tech and sent to one of the interested parties who asked for assistance and clarifications, Aruba states that “the management systems affected by the event contain their billing data and the authentication data of the customer area, such as login and password, the latter protected by strong encryption, and in any case promptly disabled, and therefore not usable “and that” payment data (eg credit cards), nor customer services (hosting , cloud, email and Pec …) and all the data contained therein. “
An Aruba spokesperson explained what had happened to us with a metaphor: “We were at home in a room with the light on, and when we saw someone looking out the window we turned off the light so that he would not look inside” – and then reiterated how much written in a company note – “After two and a half months of analysis and monitoring we can say that we have not found evidence that the breached data has been used or put up for sale.”
Unfortunately this is a claim that is difficult to subscribe to. User data associated with a single service is generally used by cybercriminals for phishing campaigns, that is, for the massive sending of fraudulent emails, which induce users to take actions to their detriment, such as implanting malware in the computer and continuing with identity theft, even more dangerous when we talk about identity and certified services.
For now, any negative effects are difficult to establish: the Privacy Guarantor has suspended the on-site inspection activity due to Covid, and does not unbutton itself on the extent of the customers concerned or on the type of attack. However, he was informed 48 hours after the discovery of the breach and started his investigation, still in progress, “with useful interlocutions towards the company”, while “the decisions to be taken by the end of the month are being evaluated”, as we says a qualified source.
Aruba has undergone important databreach in the past, like many other large service providers (think of the Microsoft Exchange case), but even if it were a “standard” case it deserves a lot of attention precisely because it provides the PA and, ironically, the same Privacy Guarantor.
In fact, even if it were a matter of a few thousand users, in the face of hundreds of thousands of customers supplied by Aruba – let’s think of the pec used in civil processes -, it is important to invite all customers to be very cautious, given that, as the same says company on its website, “Fraudulent theft of confidential codes, unwanted access, payments of money to non-existent companies or entities are the most known consequences of online scams conveyed by emails or SMS that seem to come from reliable sources, presenting logos of well-known companies, banks or even public bodies “. As in the case of any illegitimate use of the data spied in Aruba, in fact. In fact, it is not difficult to reconstruct an email address from a name and surname, or work affiliation from an email address by impersonating the legitimate owner and pretending to be it.
.