Rackspace customer data taken in 'PLAY' ransomware attack

Cloud hosting service Rackspace, which suffered a ransomware attack last month, says some customers suffered a data breach in the incident. 

In a forum post update, the company said that a "forensic investigation determined the threat actor accessed a personal storage table (PST) of 27 Hosted Exchange customers."

PST files are a proprietary data storage format created by Microsoft which contain, among other things, user email messages and calendar items.

Rackspace said there is "no evidence" that the attackers who accessed the PST files actually viewed or misused them, but did not provide further detail as to how it had come to that conclusion.

The cloud hoster said it has contacted the 27 customers hit by the data stealing ransomware attack.

All in all, Rackspace said it had nearly 30,000 customers on its Hosted Exchange service offering.

Rackspace also confirmed that the PLAY ransomware gang was behind the attack, and referred users to security vendor Crowdstrike for further information on how the flaws were exploited.

PLAY has been behind attacks on the H Hotel chain and other organisations around the world.

The company said it has been notifying customers for which it has recovered more than 50 percent of their mailboxes, and made available the PST files through portals.

Rackspace will discontinue the Hosted Exchange email, calendaring and contacts service.

Instead it will encourage customers to migrate to Microsoft 365, which "has a more flexible pricing model, as well as more modern features and functionality," Rackspace said.