- The ICO has fined LastPass £1.2 million ($1.6 million).
- More than 1.6 million users have had their data exposed in a data breach
- The exposed data includes names, e-mails, phone numbers and web addresses.
Britain’s Information Commissioner’s Office has fined password management provider LastPass £1.2 million ($1.6 million) for a 2022 data breach that affected 1.6 million users.
According to ICOLastPass “failed to implement sufficiently robust technical and security measures,” resulting in two separate data breach incidents.
Following the data breach, researchers linked a series of six-figure cryptocurrency thefts to the aforementioned LastPass breach.
Companies are paying attention to it
The breach began when an attacker obtained encrypted company credentials after compromising a laptop with access to the LastPass development environment.
The attacker then gained access to the LastPass backup database by tampering with a senior employee’s laptop with a keylogger and stealing a trusted device authentication cookie.
The hacker gained access to employees’ personal and professional accounts and stole an Amazon Web Service (AWS) access key and a decryption key.
The attacker used the previously obtained keys to extract the contents of the backup database full of personal information.
LastPass used a zero-knowledge encryption format, meaning stored passwords were never confirmed as having been cracked. But the attacker exfiltrated registered customer names, emails, phone numbers and web addresses.
John Edwards, UK Information Commissioner, said: “Password managers are a safe and effective tool for businesses and the public to manage their multiple credentials and we continue to encourage their use. However, as this incident makes clear, companies offering these services must ensure that access to and use of the system is restricted to ensure that the risk of attack is significantly reduced.”
“LastPass customers had a right to expect that the personal information entrusted to the company would be kept secure. However, the company failed to meet that expectation, resulting in an appropriate penalty being imposed today.”
“I urge all UK businesses to take note of the findings of this research and urgently review their systems and procedures to ensure they do not expose themselves or their customers to similar risks.”
A LastPass spokesperson said: “We have been working with the UK ICO since we first alerted them to this incident in 2022. While we are disappointed with the outcome, we are pleased that the ICO’s decision recognizes many of the efforts we have already made to further strengthen our platform and improve our data security measures.