LastPass UK Ltd fined £1.2 million by ICO in wake of data breach

The ICO found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its back-up database. There’s no evidence to suggest that the hacker was able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.

The incidents occurred in August 2022 when a hacker gained access: first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and was then able to capture the employee’s master password.

The combined detail from both incidents enabled the hacker to access LastPass’ back-up database and take personal information, which included customer names, e-mails, phone numbers and stored website URLs.

Restricted access

John Edwards, the UK’s Information Commissioner, said: “Password managers are a safe and effective tool for businesses and members of the public to manage their numerous login details. We continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure that the risk of attack is significantly reduced.”

Edwards continued: “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine that we’ve announced.”

Further, Edwards noted: “The ICO calls on all UK businesses to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they’re not leaving their customers and themselves exposed to similar risks.”

Incidents in detail 

In the first incident, a hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment. No personal information was taken. However, encrypted company credentials were appropriated. If decrypted, this would allow access to the company’s back-up database.

LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.

In the second incident, the hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third party streaming service.

A keylogger was installed, duly capturing the employee’s master password and multi-factor authentication was bypassed using a trusted device cookie. The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.

Back-up database

The hacker gained access to the employee’s business vault, which contained the Amazon Web Service access key and decryption key. This information, combined with information taken the day before, enabled the hacker to extract the contents of the back-up database containing the personal information.

As stated, the ICO’s investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.