Rackspace revealed on Thursday that attackers behind last month’s incident accessed some of its customers’ Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks.
This update comes after Rackspace confirmed that the Play ransomware operation was behind the cyberattack that took down its hosted Microsoft Exchange environment in December.
As discovered during the now-finished investigation led by cybersecurity firm Crowdstrike, the attackers gained access to the personal storage folders of 27 Rackspace customers.
However, the company added that there is no evidence that they viewed the contents of the accessed backup files or misused the information.
“Of the nearly 30,000 customers on the Hosted Exchange email environment at the time of the attack, the forensic investigation determined the threat actor accessed a Personal Storage Table (‘PST’) of 27 Hosted Exchange customers,” Rackspace said in an incident report update shared with BleepingComputer in advance.
“We have already communicated our findings to these customers proactively, and importantly, according to Crowdstrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated any of the 27 Hosted Exchange customers’ emails or data in the PSTs in any way.”
“Customers who were not contacted directly by the Rackspace team can be assured that their PST data was not accessed by the threat actor.”
While RackSpace says there is no evidence that the threat actors accessed customer data, history has shown that this invariably is not the case.
Additionally, even if the data may not be leaked if a ransom is paid or for some other reason, it is very likely that customer data was at least viewed during the attack.
Affected clients can download some recovered PST data
Since discovering the attack on December 2 and confirming the resulting outage was caused by a ransomware attack, Rackspace has been offering affected customers free licenses to migrate their email from its Hosted Exchange platform to Microsoft 365.
The cloud computing provider also provides affected customers with download links to recovered historic mailbox data (containing email messages before December 2) through its customer portal via an automated queue.
“As a reminder, we are proactively notifying customers for whom we have recovered greater than 50% of their mailboxes,” the company said.
“We will continue working to recover all data possible as planned, however, in parallel, we are developing an on-demand solution for those customers who do still wish to download their data. We expect that the on-demand solution will be available within two weeks.”
BleepingComputer asked a Rackspace spokesperson earlier today if the email data is being restored from Rackspace’s backups or with the help of a decryption tool provided by the Play ransomware attackers. We will update the article when we have an answer.
Rackspace added in today’s update that its Hosted Exchange environment would be discontinued, saying that it was already planning to migrate customers to Microsoft 365 even before the December ransomware attack.
“Finally, the Hosted Exchange email environment will not be rebuilt as a go-forward service offering,” Rackspace said.
“Even prior to the recent security incident, the Hosted Exchange email environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality.”