Managed service providers caught up in last week’s Pax8 data leak have taken a pragmatic approach to the incident that saw their businesses commercially exposed.
The breach occurred when a Pax8 employee accidentally shared an internal Excel spreadsheet with around 40 UK partners on Jan. 13, according to the incident report. The file contained internal business information for approximately 1,800 partners, including customer names, license types, and quantities related to Microsoft Modern Work products.
“It could have happened to anyone,” Troy Midwood, CEO of UK MSP Aabyss, told Channel Dive. “Unfortunately, it happened to them.”
Midwood received the file and immediately recognized what it was — and what it was not.
“It was an Excel file built to help the internal account management team identify efficiencies and cost savings linked to Microsoft licensing changes coming in 2026,” Midwood told Channel Dive. “It was never meant to leave Pax8.”
While no credentials or technical access points were exposed, the data was commercially sensitive, according to Midwood
“There were no passwords. There was nothing that could be used to compromise systems. But it is effectively a sales database. It shows who buys Microsoft, which licenses they’re on, and who they buy them from,” he said.
The spreadsheet Midwood received included data covering around 1,750 UK MSPs, many of which operate in overlapping markets.
“Within a few miles of my office, there are MSPs on that list who are direct competitors,” he said. “If you transact Microsoft through Pax8, there’s now a chance someone else knows who all your clients are.”
Aabyss notified customers whose names appeared in the data.
“We told clients because transparency was the right thing to do, but we were also able to reassure them about the scope,” Midwood said. “This wasn’t a technical breach.”
An uncomfortable irony
The incident touched on a core feature of the Pax8 cloud marketplace — security services.
“They provide tools and training designed to stop exactly this sort of thing,” said Midwood. “Either those controls weren’t in place internally, or they didn’t work.”
Ian Groves, managing director of UK MSP Start Tech, described the breach as uncomfortable but not operationally damaging.
“Would I have preferred my data wasn’t out there? Of course,” said Groves. “But it doesn’t change my relationship with my customers. That’s not determined by a spreadsheet.”
Groves was blunt about where responsibility lies.
“This isn’t about blaming an individual,” he said. “The person had a laptop, email and tools provided by the organization. This is an organizational responsibility to put controls in place to protect people from mistakes.”
He likened the situation to workplace safety rather than individual negligence.
“If someone falls off a ladder, it’s not just about training — it’s about whether the organization put the right protections in place. Sometimes people still fall.”
The rumor mill
In the hours after the incident, Pax8 released a brief statement acknowledging responsibility, promising an internal review and instructing partners to submit marketplace support tickets with questions or concerns. A lack of further detail fueled anxiety across the MSP community.
“The rumor mill went into overdrive,” Groves said. “People were panicking because they didn’t know what had gone out or how bad it was.”
Immediate silence is not unusual in incidents involving legal and regulatory considerations.
“These things take time – legal teams have to work out what can and can’t be said,” Groves acknowledged.
Pax8 followed up with additional incident details on Jan. 14 and gave impacted partners a means to securely review their exposure the following day.
Aabyss and Start Tech credit Pax8 with following up directly once more information was available. Midwood says senior executives personally contacted affected partners, despite the timing coinciding with the company’s annual leadership strategy meeting in Denver.
“They were working late and getting up early to speak to partners in different time zones,” he said. “That was the right thing to do.”
Groves also welcomed one-to-one conversations with senior Pax8 staff.
“It didn’t change the outcome, but it mattered,” Groves said.“They held their hands up and explained what happened. That’s what partnership looks like.”
Neither MSP believes the incident will damage their relationship with Pax8. Instead, both frame it as a broader lesson for the channel.
“This was a tabletop exercise none of us wanted to be part of,” said Groves. “But I’m almost grateful to have watched another organization go through it rather than it being my own.”
