HPE alerts employees about data breach following Russian Office 365 hack

While HPE has assured that the breach is now contained, the incident serves as a stark reminder of the vulnerability of email systems, which are often targeted by advanced persistent threats (APT) groups such as Cozy Bear

Hewlett Packard Enterprise (HPE) has confirmed a significant data breach involving Russian state-backed hackers. The breach, which occurred in May 2023, was only made public in January 2025, prompting concern over the vulnerability of corporate email systems and the ongoing risks posed by cyberattacks. The hackers, believed to be affiliated with the Russian cyber espionage group Cozy Bear, targeted HPE’s cloud-based Office 365 email environment, compromising sensitive employee data such as Social Security numbers, driver’s licenses, and credit card details.

A targeted attack on HPE's email system

In response to the breach, HPE began notifying affected employees in late January 2025, issuing breach notification letters to at least 16 individuals whose personal information had been stolen. According to the company, the attack was limited to a small group of HPE employees, primarily those working in the cybersecurity, business, and go-to-market functions.

Also Read: Hewlett Packard Enterprise Introduces One-Click-Deploy AI Applications

The hackers accessed and exfiltrated data contained within employee mailboxes, underscoring the risks associated with cloud-based communication platforms. This incident has been labelled the HPE data breach, and it has raised questions about the effectiveness of current email and cloud-based security protocols, especially in light of the growing Russian cyberattack threats.

Despite the relatively limited number of employees affected, the breach raises significant concerns about the broader implications of data security within large corporations. The compromised information included not only personal data but also business-related communications, which could potentially expose internal company strategies or confidential communications to malicious actors. This highlights the vulnerability posed by an Office 365 security breach, especially when corporate cybersecurity measures are not fully up to par.

HPE’s internal investigation determined that the breach stemmed from the exploitation of a compromised account, allowing the hackers to gain unauthorized access to the Office 365 system. While HPE has assured that the breach is now contained, the incident serves as a stark reminder of the vulnerability of email systems, which are often targeted by advanced persistent threats (APT) groups such as Cozy Bear.

Cozy Bear and the growing threat of state-backed actors

The attack on HPE is attributed to Cozy Bear, a Russian hacking group with ties to Russia’s Foreign Intelligence Service (SVR). Cozy Bear, also known by various aliases, including Midnight Blizzard and APT29, has been linked to several high-profile cyberattacks, including the infamous SolarWinds breach of 2020. The group's activities typically focus on espionage and data exfiltration, targeting government agencies, corporations, and critical infrastructure around the world. This recent Office 365 hack incident adds to the growing list of cybersecurity threat Russia poses to global organizations.

HPE’s breach was discovered as part of a wider campaign that Cozy Bear appears to have conducted in 2023. This Russian Office 365 hack is thought to be related to another May 2023 breach, in which hackers targeted HPE’s SharePoint server, exfiltrating additional files. Microsoft also reported similar activities by Cozy Bear, warning that hackers had accessed corporate email accounts and source code repositories within its systems. The Russian cyberattack has prompted further investigations into how companies can better secure their Office 365 systems against such sophisticated threats.

HPE’s limited exposure to this attack does not lessen the gravity of the situation. Cozy Bear's continued targeting of high-profile corporations highlights the risks posed by well-funded, nation-state actors who are increasingly able to bypass traditional cybersecurity defences. This breach further underscores the importance of robust security protocols and the need for constant vigilance in the face of growing cybersecurity threats.

Past breaches and ongoing challenges

This breach is not the first time HPE has encountered significant cybersecurity challenges. In 2018, the company suffered a data breach caused by Chinese state-sponsored hackers, who infiltrated HPE's network and compromised its customers' devices. More recently, in 2021, HPE disclosed a breach involving its Aruba Central platform, which exposed data about monitored devices and their locations to unauthorized access.

Additionally, in early 2024, HPE began investigating claims by the hacker group IntelBroker, which alleged it had stolen sensitive data, including HPE credentials and source code. These incidents demonstrate an ongoing pattern of corporate cybersecurity breaches targeting HPE and the broader tech industry. This pattern of cybersecurity threats highlights the urgency for companies to enhance their security measures in order to prevent similar incidents from occurring.

To address these challenges, HPE has been working to enhance its cybersecurity capabilities, implementing stronger safeguards and taking immediate action to protect its data and systems from future attacks. The company has also pledged to continue its investigations into the current breach and to provide further notifications to employees and stakeholders as necessary.