Hewlett Packard Enterprise (HPE) has started notifying individuals whose personal information was compromised in a 2023 cyberattack, which the company has attributed to Russian government hackers. According to breach notices filed with at least two U.S. state attorneys general, more than a dozen individuals have been notified so far.

The stolen data includes sensitive information such as Social Security numbers, driver's license information, and credit card numbers, as revealed in a filing with the state of Massachusetts. Despite requests for comment, HPE spokesperson Adam R. Bauer did not provide any additional information on the breach.

The cyberattack, which began in May 2023, targeted HPE's email systems and SharePoint environments, both of which were hosted by Microsoft. HPE publicly disclosed the incident in January 2024, confirming that the hackers had exfiltrated the contents of a "small number" of its email mailboxes and some SharePoint files.

According to HPE, the hackers used a compromised account to access internal HPE email boxes in its Office 365 email environment. The stolen mailbox data predominantly belonged to individuals in HPE's cybersecurity, go-to-market, and business teams. The company attributed the hack to a group dubbed Midnight Blizzard, which security researchers have linked to Russia's foreign intelligence service, known as the SVR.

Midnight Blizzard, also known as APT29, has been linked to several high-profile attacks, including the 2019 SolarWinds espionage campaign targeting the federal government. Microsoft, which hosted HPE's email systems and SharePoint environments, also confirmed in January 2024 that its corporate network was compromised by Midnight Blizzard.

Microsoft revealed that the Russian hackers targeted the email accounts of corporate executives, as well as senior staff working in cybersecurity. The tech giant believes this was an attempt by the hackers to learn what Microsoft knows about their own activities.

The incident highlights the ongoing threat of cyberattacks and the importance of robust security measures to protect sensitive data. As the attack has been attributed to a nation-state actor, it also raises concerns about the role of governments in cyber espionage and the potential consequences for individuals and organizations.

The notification of affected individuals is a crucial step in the breach response process, and it remains to be seen how HPE will continue to address the incident and prevent future attacks. The company's response will likely be closely watched by the cybersecurity community and may have implications for the broader tech industry.