Rackspace Ransomware Attack and Hosting Interruption Class Action

Rackspace Technology, Inc. provides services such as business email and cloud computing. But the complaint for this class action alleges Rackspace experienced a ransomware attack on December 2, 2022 that “disrupt[ed] its cloud services and exfiltrate[ed] sensitive customer data[.]” Ten days later, the complaint claims that Rackspace clients have still not been able to access their email or data and they have had no assurance that the exfiltrated data has been recovered or destroyed.

The Nationwide Class for this action is all persons, including business entities, whose private information became inaccessible and/or was viewed by unauthorized third parties as a result of the data breach discovered on or around December 3, 2022. An Arizona Subclass has also been proposed, for those in the above class living in Arizona.

Rackspace, the complaint alleges, has portrayed itself as having “Fanatical Support” with a particular devotion to customer service and security. The complaint quotes it as saying, “We developed specialized expertise in technologies such as Linux and Windows and network security.”

The plaintiff in this case, Q Industries, makes air compressors and related items that it sells at retail. It uses Rackspace to communicate via email and “to store important, proprietary information[,]” the complaint says. It is suing Rackspace “for its failure to exercise reasonable care in securing and safeguarding the sensitive, proprietary data of its customers, and its failure to exercise reasonable care to maintain the stable, reliable cloud computing services its customers rely on in conducting their respective businesses.”

The ransomware attack seems to have occurred on December 2, at which point clients like Q were locked out of their email and cloud accounts because of the service outage.

Rackspace was not able to resolve the problem at that point, but later that evening, the complaint alleges, it announced that it was offering clients a stopgap measure, that is, Microsoft Exchange Plan 1 Licenses on Microsoft 365. This was not a full solution, the complaint alleges, because Microsoft 365 is a mass-market product, not a high-quality, comprehensive one designed for businesses.

“On information and belief,” the complaint alleges, the clients “have been told that limited services will be restored eight weeks after their repair request tickets are accepted by Rackspace’s IT services contractor, with full functionality restored eight more weeks after that. However, as of December 9, 2022, [Q’s] tickets had not yet been accepted.”

This means, that full service will only be restored sixteen weeks after some unknown date in the future, the complaint says, which in turn means that the company will be crippled during the December shopping season.

The complaint alleges that Rackspace failed to take adequate measures to prevent the attack, to protect the information it stored in its systems, and to provide the uninterrupted services its clients relied on.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Service Interruptions, Your Privacy