Hewlett Packard Enterprise has started notifying people that their personal information was likely compromised in a December 2023 hack attributed to a Russian threat actor.
The incident was disclosed a year ago, when HPE notified the US Securities and Exchange Commission that the state-sponsored hacking group known as Midnight Blizzard compromised its cloud-based email environment and accessed a small percentage of mailboxes.
Also known as APT29, Cozy Bear, the Dukes, and Yttrium, and believed to be backed by the Russian government, Midnight Blizzard is known for various high-profile intrusions, including attacks targeting Microsoft systems and TeamViewer.
According to HPE’s SEC filing, the threat actor accessed mailboxes belonging to “individuals in our cybersecurity, go-to-market, business segments, and other functions”.
At the time, the company linked the incident to a previous intrusion in which attackers exfiltrated “a limited number of SharePoint files as early as May 2023”, and said that it completely evicted the threat actor from its environment.
In a regulatory filing with the New Hampshire Office of the Attorney General last week, HPE reiterated that the incident was contained and remediated, but said that the attackers accessed personal information that was stored in the compromised mailboxes.
The company said it started sending written notifications to the impacted individuals on January 29, and submitted a redacted copy of the letter to the Attorney General’s Office. HPE is providing the impacted individuals with free identity theft restoration and credit monitoring services.
Last week, HPE also notified the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) that Social Security numbers, driver’s license information, and credit or debit card numbers were compromised in the incident.
The company revealed in its notification to Massachusetts authorities that 10 individuals in the state were impacted, but it’s unclear how many people are affected in total, and whether the attackers compromised the information of both employees and customers.
Responding to a SecurityWeek inquiry, HPE refrained from sharing details on the number of impacted individuals, reiterating that only a small percentage of HPE employee mailboxes were compromised in the attack, and that Midnight Blizzard was responsible for the hack.
“On December 12, 2023, HPE was notified that a suspected nation-state actor had gained unauthorized access to the company’s Office 365 email environment. HPE immediately activated cyber response protocols to begin an investigation, remediate the incident, and eradicate the activity. Through that investigation, we determined that this nation-state actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE employee mailboxes. The accessed data is limited to information contained in the users’ mailboxes, and we have notified impacted parties as appropriate. We believe the nation-state actor is Midnight Blizzard, also known as Cozy Bear,” HPE said.
*Updated with statement from HPE.
Related: Insurance Company Globe Life Notifying 850,000 People of Data Breach
Related: Personal Information Compromised in GrubHub Data Breach
