- The ICO has fined LastPass £1.2 million ($1.6 million)
- Over 1.6 million users had data exposed in a data breach
- The exposed data included names, emails, phone numbers, and URLs
The UK Information Commissioners Office has fined password manager provider LastPass £1.2 million ($1.6 million) for a 2022 data breach that affected 1.6 million users.
According to the ICO, LastPass “failed to implement sufficiently robust technical and security measures,” that resulted in two separate data breach incidents.
Since the data breach, researchers have linked a string of six figure cryptocurrency heists to said LastPass breach.
Businesses take note
The breach began with an attacker obtaining encrypted company credentials after compromising a company laptop which had access to the LastPass development environment
The attacker then gained access to the LastPass backup database by compromising a senior employee’s laptop with a keylogger, and stealing a trusted device authentication cookie.
With access to both the employee’s personal and business accounts, the hacker then stole an Amazon Web Service (AWS) access key and decryption key.
The attacker used the previously acquired keys to extract the contents of the backup database filled with personal information.
LastPass operated using the zero knowledge encryption format, so no stored passwords have ever been confirmed to have been decrypted. The attacker did however exfiltrate customer names, emails, phone numbers, and stored website URLs.
John Edwards, UK Information Commissioner, said, “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.
A LastPass spokesperson said, “We have been cooperating with the UK ICO since we first reported this incident to them back in 2022. While we are disappointed with the outcome, we are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures. Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass.”
