Author: John Farley
Cloud service provider Rackspace reported a significant outage on December 2, 2022 and remains down as of this writing. What was initially described as an issue related to connectivity and login issues is now being reported as a security incident. It has the potential to impact a large number of Rackspace clients.
What we know now about the Rackspace outage
The current outage is affecting Rackspace's hosted Microsoft Exchange environments. The impacted services includes MAPI/RPC, POP, IMAP, SMTP, ActiveSync, and the Outlook Web Access (OWA) interface used to access the Hosted Exchange to manage email online. According to Rackspace, the issue is "isolated to a portion of our Hosted Exchange platform."*
Rackspace advisory and response
In response to the incident, Rackspace is offering affected customers free Microsoft Exchange Online Plan 1 licenses until the outage is resolved. Detailed instructions on how to activate the free licenses and how to migrate users' mailboxes to Microsoft 365 are available in Rackspace's incident report.*
While there's no estimated time frame for full restoration of services, Rackspace has indicated that it may take several days.
Potential cybersecurity liabilities: What to do now
At this point in the investigation, it will be difficult to determine what liabilities, if any, may affect Rackspace clients. Questions remain regarding whether unauthorized parties may have accessed any sensitive information, whether the incident will spread to systems beyond the Microsoft Exchange environment, the length of downtime and the overall impact to their client's business operations as a result of this event.
As the investigation unfolds, we suggest affected organizations proactively assemble key members of their incident response teams who may need to respond in some way as more information becomes available. These key members may include general counsel, communications, information technology, business continuity and risk management departments. We suggest a thorough review of incident response plans to aid in any required strategic response.
Leveraging cyber insurance
Cyber insurance and other insurance policies may provide assistance to organizations that believe they were victimized by cyber threat actors, either directly or indirectly through a vendor. Many stand-alone cyber policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with cyber insurance should be mindful of claim reporting obligations, requirements to utilize insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.
Organizations should also be aware of the rapidly evolving cyber insurance products that may impact the scope of insurance coverage. The hardening 2022 cyber insurance market has spurred cyber insurers to use various methods to reduce their cascading losses for incidents such as the one that is unfolding at Rackspace. Sub-limits and coinsurance are often imposed for ransomware claims. Some carriers have increased waiting periods before coverage for business interruption coverage is triggered. Contingent business interruption coverage may be offered for losses as a result of an incident involving a key vendor, but buyers need to be mindful of potentially restrictive policy language. Cyber carriers may limit or exclude coverage related to specific cloud providers and other third parties.