The UK data protection watchdog has fined a cyber vendor £1.2m after a 2022 data breach that compromised the personal information of about 1.6 million of its UK users. A combination of two isolated incidents enabled hackers to steal personal information, the ICO says.
The regulator found that LastPass failed to make ‘appropriate technical and organisational security measures’, which ultimately enabled a hacker to gain unauthorised access to its back-up database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.
Business and personal
The vendor was allowing its employees, including senior ones with access to highly confidential corporate credentials, to link their Employee Business and Personal accounts so that they could be accessed using the same master password. That meant that when the hackers installed a key-logger on the Senior Development Operations Engineer’s personal device, they were able to capture the engineer’s master password and use it, with stolen trusted device cookies, to gain access to both his Employee Business and Personal accounts, with the former containing the AWS Access Key and decryption keys required, to access a backup database.
The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The hacker took personal information which included customer names, emails, phone numbers, and stored website URLs.
Since incident
The ICO noted that since the incidents, ‘LastPass has sought to address the risks previously posed by allowing employees to access their Employee Business vaults using personal devices. Specifically, LastPass issued corporate devices and mobile phones to all employees’. The vendor’s new Acceptable Use Policy prohibits employees from conducting any business activities on their personal devices (and vice versa); and employees are restricted from accessing non-business approved websites and applications on their corporate devices.
The watchdog noted that thanks to LastPass’ “zero knowledge” encryption system, the most sensitive personal data stored in the customers’ password vaults remained encrypted at all times, even after exfiltration by the threat actor. For more details visit the ICO website.
‘Customers had a right’
John Edwards, UK Information Commissioner, said: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks.”
Comment
Dan Panesar, chief revenue officer at Certes, described the ICO’s fine as a watershed moment for the cybersecurity industry because it confirms what many breaches have already shown: the failure point is no longer passwords, it’s what attackers can access once identity is compromised. He said: “This incident didn’t hinge on cryptography being broken; it hinged on endpoints being breached and backups being reachable. That’s a critical distinction regulators are now making very clearly. The uncomfortable reality for organisations is that identity controls, MFA, and zero trust alone do not stop breaches; they are merely speed bumps for attackers. Once attackers obtain legitimate credentials, the decisive question becomes whether the data they reach is readable, usable, and valuable.
“Regulators are signalling a shift away from ‘did you protect the perimeter?’ toward ‘did you make stolen data useless?’ That means treating backups, metadata, and internal flows as high-risk assets rather than secondary ones. This fine should be read as a warning shot. If your security model still assumes breaches are preventable rather than inevitable, regulators will increasingly see that as a governance failure, not just bad luck.”
