ICO Fines LastPass £1.2M After Hacker Breaches Backup Database

The UK Information Commissioner’s Office has fined LastPass £1.2 million after inadequate security measures allowed a threat actor to breach a backup database and steal confidential data.

 

LastPass is a popular password manager that securely stores passwords, payment info, and notes in an encrypted vault, autofills logins, and generates strong, unique passwords.

 

In August 2022, attackers accessed a third-party cloud service used by LastPass and GoTo, stealing source code, technical data, and customer info. Encrypted vaults remained secure, protected by 256-bit AES and users’ master passwords, which LastPass does not store.

 

Later in 2022, a second breach occurred when an unauthorised actor used data from the August incident to access more customer information via the same cloud storage provider. No passwords were exposed due to LastPass’s encryption and zero-knowledge design.

 

Investigators found that attackers breached LastPass’s internal network by exploiting an unpatched Plex Media Server on a senior DevOps engineer’s personal laptop, enabling them to deploy malware and access cloud backups containing system configuration data, API secrets, and customer information.

 

On December 11, the ICO announced a £1.2 million fine for LastPass, finding that inadequate technical and security measures allowed a hacker to access its backup database.

 

“We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users,” the ICO said.

 

Commenting on the news, John Edwards, UK Information Commissioner, said, “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

 

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.

 

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks,” he added.