UK’s Data Watchdog Fines LastPass £1.2m for 2022 Security Breach Affecting 1.6 Million Users
The Information Commissioner’s Office levies a substantial penalty against the password manager for failing to secure personal data, though core encrypted passwords remained protected.
The United Kingdom’s Information Commissioner’s Office has imposed a £1.2 million monetary penalty on LastPass UK Ltd for lapses in security that led to a significant data breach in 2022, exposing the personal information of up to 1.6 million British users.
The regulator concluded that LastPass failed to implement sufficiently robust technical and organisational measures, enabling a threat actor to access the company’s backup database and extract names, email addresses, phone numbers and stored website URLs linked to customer accounts.
The breach unfolded in a sequence of two related incidents in August 2022, beginning with an unauthorised intrusion into a corporate laptop used by a LastPass employee, which yielded encrypted company credentials and access to the development environment.
Shortly afterwards, the attacker targeted another employee’s personal device, exploiting a known software vulnerability to install malware and capture credentials, ultimately bypassing multi-factor authentication and gaining access to cloud storage containing backup data.
While the ICO’s enforcement action found no evidence that encrypted passwords or other highly sensitive credentials were decrypted — owing to LastPass’s zero-knowledge encryption architecture, under which master passwords are stored only on user devices — the regulator emphasised that the company nonetheless fell short of customers’ legitimate expectations for safeguarding their data.
Information Commissioner John Edwards underlined that password managers remain vital tools for security but must be safeguarded with rigorous access controls and internal protections.
In announcing the fine, the ICO called on organisations across the UK to review their own cybersecurity measures to mitigate similar risks.
LastPass said it has cooperated with the ICO since the incident and has taken steps to enhance its platform security, reaffirming its commitment to serving millions of individual and business users while strengthening overall protections.
The regulator concluded that LastPass failed to implement sufficiently robust technical and organisational measures, enabling a threat actor to access the company’s backup database and extract names, email addresses, phone numbers and stored website URLs linked to customer accounts.
The breach unfolded in a sequence of two related incidents in August 2022, beginning with an unauthorised intrusion into a corporate laptop used by a LastPass employee, which yielded encrypted company credentials and access to the development environment.
Shortly afterwards, the attacker targeted another employee’s personal device, exploiting a known software vulnerability to install malware and capture credentials, ultimately bypassing multi-factor authentication and gaining access to cloud storage containing backup data.
While the ICO’s enforcement action found no evidence that encrypted passwords or other highly sensitive credentials were decrypted — owing to LastPass’s zero-knowledge encryption architecture, under which master passwords are stored only on user devices — the regulator emphasised that the company nonetheless fell short of customers’ legitimate expectations for safeguarding their data.
Information Commissioner John Edwards underlined that password managers remain vital tools for security but must be safeguarded with rigorous access controls and internal protections.
In announcing the fine, the ICO called on organisations across the UK to review their own cybersecurity measures to mitigate similar risks.
LastPass said it has cooperated with the ICO since the incident and has taken steps to enhance its platform security, reaffirming its commitment to serving millions of individual and business users while strengthening overall protections.
