In 2024, Hewlett Packard Enterprise (HPE) disclosed a significant data breach orchestrated by the state-linked hacking group **Midnight Blizzard (APT29)**. The attackers compromised a **Microsoft 365 email account** as early as **May 2023**, remaining undetected for **seven months** until December 2023. While only a small percentage of mailboxes—primarily in **cybersecurity and business operations**—were accessed, the exposed emails contained **highly sensitive personal identifiers**, including **Social Security numbers, driver’s licenses, and payment card details**.The breach underscored the vulnerabilities of **unencrypted email systems**, as the attackers exfiltrated months of communications containing **financial reports, identity documents, and internal strategies**. Had **end-to-end encryption** been in place, the stolen data would have been rendered unusable (ciphertext) without the account owners’ private keys. The incident highlighted how **dwell time** in email breaches can lead to **massive data exposure**, as archives often span years of historical communications. HPE’s case serves as a warning that even **global enterprises** with robust security measures are not immune to **sophisticated, prolonged cyber intrusions** targeting email environments.
Source: https://www.makeuseof.com/why-you-need-encrypted-email/
TPRM report: https://www.rankiteo.com/company/hewlett-packard-enterprise
"id": "hew5092350092125",
"linkid": "hewlett-packard-enterprise",
"type": "Breach",
"date": "5/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Information Technology',
'location': 'Global (HQ: Spring, Texas, USA)',
'name': 'Hewlett Packard Enterprise (HPE)',
'size': 'Large Enterprise',
'type': 'Corporation'}],
'data_breach': {'data_encryption': 'Partial (in-transit and at-rest, but not '
'end-to-end)',
'data_exfiltration': 'Yes (months of email archives)',
'file_types_exposed': ['Emails',
'Attachments (likely including '
'documents, spreadsheets, PDFs)'],
'personally_identifiable_information': ['Social Security '
'Numbers',
'Driver’s Licenses',
'Payment Card '
'Details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Internal Business '
'Communications']},
'date_detected': '2023-12',
'date_publicly_disclosed': '2024',
'description': "Hewlett Packard Enterprise (HPE), one of the world's largest "
'IT companies, disclosed in 2024 that suspected state-linked '
'hackers (Midnight Blizzard/APT29) had compromised a Microsoft '
'365 email account as early as May 2023. The breach remained '
'undetected for seven months (May–December 2023), during which '
'attackers accessed a small percentage of mailboxes in '
'cybersecurity and business operations. Exfiltrated data '
'included highly sensitive personal identifiers such as Social '
'Security numbers, driver’s licenses, and payment card '
'details. The incident underscored the critical need for '
'end-to-end email encryption, as the lack of it allowed '
'attackers to read messages directly despite in-transit and '
'at-rest protections. The breach highlighted vulnerabilities '
'in email security, long dwell times for advanced threats, and '
'the broader risk to both enterprises and individuals from '
'unencrypted email archives.',
'impact': {'brand_reputation_impact': "High (given HPE's global enterprise "
'status and sensitivity of compromised '
'data)',
'data_compromised': ['Social Security Numbers',
'Driver’s Licenses',
'Payment Card Details',
'Internal Communications',
'Financial Reports',
'Identity Documents'],
'identity_theft_risk': 'High (due to exposure of PII like SSNs and '
'driver’s licenses)',
'operational_impact': 'Limited to specific mailboxes in '
'cybersecurity and business operations',
'payment_information_risk': 'High (payment card details '
'compromised)',
'systems_affected': ['Microsoft 365 Email Environment']},
'initial_access_broker': {'entry_point': 'Compromised Microsoft 365 Account',
'high_value_targets': ['Cybersecurity Teams',
'Business Operations'],
'reconnaissance_period': 'Unknown (breach '
'undetected for ~7 '
'months)'},
'investigation_status': 'Disclosed (2024); no further updates on root cause '
'or forensic details',
'lessons_learned': ['End-to-end email encryption is critical to limit '
'exposure even if accounts are compromised.',
'Dwell times for advanced threats can span months or '
'years, emphasizing the need for proactive detection.',
'Unencrypted email archives pose a long-term risk, as '
'they contain historical sensitive data.',
'Individuals and enterprises must prioritize encryption, '
'multi-factor authentication (MFA), and data hygiene '
'(e.g., deleting old documents).',
'Email security must evolve beyond basic protections '
'(e.g., spam filters, passwords) to address targeted '
'attacks.'],
'motivation': ['Espionage', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Lack of end-to-end encryption for '
'email content.',
'Insufficient detection mechanisms '
'to identify the breach for ~7 '
'months.',
'Targeted compromise of a '
'high-privilege Microsoft 365 '
'account.']},
'recommendations': ['Implement end-to-end encryption for all email '
'communications.',
'Enforce multi-factor authentication (MFA) across all '
'accounts, especially email.',
'Regularly audit and clean up old or unnecessary emails '
'and attachments.',
'Monitor for unusual account activity with advanced '
'threat detection tools.',
'Assume breach mentality: design security controls to '
'limit data exposure even if perimeter defenses fail.',
'Hold email providers accountable for baseline encryption '
'standards.'],
'references': [{'source': 'Bleeping Computer'},
{'source': 'MakeUseOf (MUO) - Afam Onyimadu'}],
'response': {'communication_strategy': 'Public disclosure in 2024',
'incident_response_plan_activated': 'Yes (disclosed in 2024 '
'after detection in December '
'2023)'},
'threat_actor': 'Midnight Blizzard (APT29)',
'title': 'Hewlett Packard Enterprise (HPE) Email Data Breach (2025)',
'type': ['Data Breach', 'Unauthorized Access', 'Espionage'],
'vulnerability_exploited': ['Lack of End-to-End Email Encryption',
'Compromised Microsoft 365 Account']}