The UK’s data privacy regulator, the Information Commissioner’s Office (ICO), has penalised the password management giant LastPass UK Ltd with a £1.2 million fine over a major security breach in 2022 that affected the personal details and encrypted vaults of up to 1.6 million users in the UK alone.
The ICO has concluded that the company failed to put in place strong enough technical and security safeguards. ICO Head John Edwards noted that a company promising to help people improve their security “has failed them.”
The 2022 Breach: A Chain of Failures
As reported by Hackread.com in 2022, the whole incident involved a series of human and technical security failures that occurred in two main phases. The trouble first began in August 2022 when an attacker compromised a corporate laptop belonging to a developer in Europe, stealing some of the company’s source code and internal information. This initial attack did not directly compromise customer data.
The attacker then used this stolen material to launch the second, more damaging phase. They targeted a senior engineer in the US (one of only four employees with access to critical decryption keys) and gained access to this employee’s personal desktop computer by exploiting a known flaw in a third-party application, believed to be the Plex Media Server, installed on the device.
Once inside, the attacker installed a keylogger to capture the employee’s master password and stole a trusted device cookie to bypass Multi-Factor Authentication (MFA). Since the engineer had linked their business and personal accounts with a single master password, the hacker accessed the corporate vault, obtaining an Amazon Web Services (AWS) access key and a decryption key needed to access customer data.
The data stolen included names, company names, billing addresses, phone numbers, email IDs, and the IP addresses customers used for accessing the LastPass service, along with encrypted password vaults.
ICO Ruling Highlights Security Failures
The ICO’s ruling was stern. They found that LastPass UK Ltd did not restrict system access sufficiently, allowing the human element, specifically the employee’s use of a personal device and repeated credentials, to undermine their security. They stated that LastPass customers had a right to expect their personal information to be kept safe.
It is worth noting, however, that the situation could have been far worse. LastPass CEO Karim Toubba confirmed that the core customer passwords remain protected because of the company’s ‘zero-knowledge encryption’ system, which means the master passwords are only known to the user and are never stored on LastPass servers. For your information, the final fine was lowered from an initial proposal of 2.6 million because of the steps LastPass took to prevent such incidents.
The penalty emphasises a crucial lesson for all businesses: the human attack surface, including employee personal devices and home networks, is usually the weakest link in even the secure corporate networks.
Full statement from UK Information Commissioner, John Edwards:
“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK businesses to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks.”
Expert Commentary
In response to this news, Chris Pierson, CEO, BlackCloak, shared the following comments with Hackread.com, stating, “This case is a clear reminder that today’s most damaging breaches often begin far outside traditional enterprise controls. Attackers did not defeat encryption or zero-knowledge architecture head-on; they targeted a trusted individual, exploited a personal device, and patiently chained together small gaps until they reached high-value access.”
Advising controls and proper security precautions to businesses and individual users, Pierson said that “For executives and privileged users, personal and professional digital lives are inseparable, and adversaries know it. Controls within the enterprise remain critical, but they must be paired with the continuous protection of personal devices, privacy enhancements, and home network protection. Organisations that fail to secure the digital attack surface for key persons and executives in their personal lives are effectively leaving the back door open to attacks.”