UK fines LastPass £1.2 million for data breach affecting 1.6 million people

The British subsidiary of password management company LastPass was fined £1.2 million ($1.6 million) on Thursday by the United Kingdom’s privacy regulator for a data breach in 2022.

LastPass confirmed in December of that year that it had suffered two hacks, the first in August when “some source code and technical information were stolen from our development environment” from the corporate laptop of an employee based in Europe.

The data was then exploited by the attackers in a second attack on the personal laptop of a senior engineer based in the United States. The hacker obtained “credentials and keys” from the LastPass staffer “which were used to access and decrypt some storage volumes within the cloud-based storage service.”

Up to 1.6 million of the company’s British users had their personal information compromised in this incident. Issuing its fine on Thursday, the Information Commissioner’s Office (ICO), said LastPass had “failed to implement sufficiently robust technical and security measures” to protect this data.

The attacker also managed to obtain encrypted versions of sensitive data kept in the password manager, including website names and the passwords themselves, although these breaches are generally considered low-risk due to the expectation it would take an impossibly long time to brute force 256-bit AES encryption.

The ICO stressed there was “no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.”

Despite this, some experts fear that hackers have been cracking the passwords from stolen vaults. Independent journalist Brian Krebs reported that “a steady trickle of six-figure cryptocurrency heists” has been tied to the breach.

John Edwards, the Information Commissioner, stated: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure,” Edwards added. “However, the company fell short of this expectation, resulting in the proportionate fine being announced today.”

LastPass has faced ongoing fallout since the 2022 breach and was spun off into an independent entity last year under new ownership.

“We have been cooperating with the UK ICO since we first reported this incident to them back in 2022," a spokesperson from LastPass said. "While we are disappointed with the outcome, we are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures. Our focus remains on delivering the best possible service to the 100,000 businesses and millions of individual consumers who continue to rely on LastPass.”