In a significant move, the UK’s Information Commissioner’s Office (ICO) has imposed a £1.2 million fine on LastPass UK Ltd following a data breach in 2022 that compromised the personal information of up to 1.6 million UK users. The ICO determined that LastPass failed to implement sufficiently robust technical and security measures, leading to unauthorized access to its backup database. (ico.org.uk)
The Breach Unfolded
The incident began in August 2022 when a hacker gained access to a LastPass employee’s corporate laptop, allowing them to infiltrate the company’s development environment. While no personal data was taken during this initial breach, the attacker obtained encrypted company credentials. (ico.org.uk)
Subsequently, the hacker targeted a senior employee’s personal device, exploiting a known vulnerability in a third-party streaming service. By installing a keylogger and capturing the employee’s master password, the attacker bypassed multi-factor authentication using a trusted device cookie. This access enabled the hacker to extract the contents of the backup database, which contained personal information such as customer names, emails, phone numbers, and stored website URLs. (ico.org.uk)
Zero-Knowledge Encryption System
Despite the breach, LastPass’s ‘zero-knowledge’ encryption system ensured that the most sensitive personal data stored in customers’ password vaults remained encrypted at all times, even after exfiltration by the threat actor. (ico.org.uk)
Regulatory Response
John Edwards, the UK’s Information Commissioner, emphasized the importance of robust security measures for companies offering security services like password management. He stated, “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation … .” (ico.org.uk)
LastPass’s Response
A LastPass spokesperson acknowledged the ICO’s decision and highlighted the company’s ongoing efforts to enhance platform security. They stated, “We have been cooperating with the … .” (ico.org.uk)
Implications for the Industry
This incident underscores the critical importance of implementing robust security measures, especially for companies handling sensitive personal information. Organizations must ensure that system access is restricted and that appropriate technical and organizational measures are in place to prevent unauthorized access and data breaches.
References
- ICO fines LastPass £1.2 … after 2022 breach – Infosecurity Magazine (infosecurity-magazine.com)
- ICO fines LastPass £1.2 … for data breach affecting 1.6 million users – BleepingComputer (bleepingcomputer.com)
- LastPass fined £1.2 million by UK regulator over data breach affecting 1.6 million users – News Minimalist (newsminimalist.com)
Be the first to comment