LastPass Fined £1.2 Million After UK Data Breach Exposes 1.6 Million Users

Key Takeaways

• ICO Enforcement: The ICO fined LastPass UK Ltd £1.2 million for security failings linked to a 2022 breach affecting up to 1.6 million UK users.
• Chain of Failures: Two separate incidents, involving compromised employee devices and stolen credentials, combined to give a hacker access to LastPass’ backup database.
• Personal Data Exposed: Names, email addresses, phone numbers, and website URLs were accessed, though passwords and vaults remained encrypted.
• Zero Knowledge Protection: The ICO found no evidence that encrypted passwords were decrypted due to LastPass’ zero-knowledge encryption model.

Deep Dive

The UK Information Commissioner’s Office (ICO) has fined password manager provider LastPass £1.2 million following a 2022 data breach that exposed the personal information of up to 1.6 million UK users, concluding that the company failed to implement sufficiently robust security measures despite offering a service designed to improve online security.

The ICO said the breach stemmed from a combination of two separate but connected security incidents that, together, allowed a hacker to gain unauthorised access to LastPass’ backup database. While the investigation found no evidence that customer passwords or encrypted vaults were decrypted, significant amounts of personal data were accessed, including names, email addresses, phone numbers, and stored website URLs.

According to the regulator, the first incident occurred in August 2022 when a hacker compromised a corporate laptop belonging to a LastPass employee based in Europe. This intrusion gave the attacker access to the company’s development environment and allowed encrypted company credentials to be taken. Although no personal customer data was accessed at that stage, the stolen credentials could have enabled access to LastPass’ backup database if decrypted.

LastPass took mitigation steps following the initial breach and believed the most sensitive encryption keys remained secure, as they were stored outside the affected environment in the account vaults of four senior employees.

However, the hacker subsequently targeted one of those senior employees in a second, more damaging incident. By exploiting a known vulnerability in a third-party streaming service, the attacker gained access to the employee’s personal device and installed malware, including a keylogger. This allowed the hacker to capture the employee’s master password and bypass multi-factor authentication using a trusted device cookie.

Because the employee’s personal and business LastPass vaults were linked under a single master password, the attacker was able to access both. The business vault contained critical Amazon Web Services access credentials and the decryption key required to unlock the backup database. Combined with information obtained during the earlier breach, this enabled the hacker to extract personal data from the backup database.

The ICO stressed that its investigation found no evidence that encrypted passwords or other credentials were decrypted. LastPass’ use of a “zero knowledge” encryption model meant that customer master passwords are stored locally on users’ own devices and are never held by the company, preventing direct access to password vaults even after the database was compromised.

UK Information Commissioner John Edwards said the case should serve as a warning to organisations offering security-critical services.

“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use,” Edwards said. “However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.”

He added that LastPass customers were entitled to expect stronger protections.

“The company fell short of this expectation, resulting in the proportionate fine being announced today,” Edwards said, calling on UK businesses to urgently review their own systems to avoid exposing customers and themselves to similar risks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.