UK ICO Penalizes LastPass for 2022 Data Breach

The UK Information Commissioner’s Office (ICO) has levied a substantial fine of £1.2 million against LastPass, the password management service, following a significant data breach in 2022. This incident compromised sensitive information belonging to millions of users and has raised serious questions about the company’s security protocols.

According to ICO reports, hackers accessed backup data from LastPass’s Amazon Web Services S3 bucket, which included the email and IP addresses of approximately 1.6 million UK accounts, along with the names and phone numbers of thousands of customers. This breach has led many to scrutinize the practices surrounding data protection in cloud environments.

Information Commissioner John Edwards stated, “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short, resulting in the fine announced today.” This penalty translates to about $1.6 million in U.S. currency.

The investigation indicated that the initial compromise occurred on August 11, 2022. Attackers exploited vulnerabilities by infiltrating the development environment through a compromised MacBook Pro belonging to a LastPass software developer. Although no customer personal data was stored on that device, the breach allowed hackers to steal source code and gain an encryption key vital for securing stored data in AWS. Despite this, the company believed the decryption key was sufficiently segregated, thus concluding no further actions were necessary.

Subsequent to this breach, hackers infiltrated another LastPass developer’s desktop computer by leveraging a known exploit within the Plex streaming media server. They installed a keylogger which escalated the attack’s complexity, enabling them to access the decryption key combined with the stolen encryption key, allowing them complete access to LastPass’s AWS servers where the customer account backup database was maintained.

Fortunately, LastPass asserts that user passwords and secure notes remained untouched due to a protective measure known as “zero-knowledge architecture,” where only users possess access keys to their vaults. Nevertheless, the malware allowed unauthorized access to customer names, billing addresses, email addresses, phone numbers, and IP logs, further deepening the fallout from this security breach.

The ICO highlighted two critical security shortfalls that led to the breach: the lack of appropriate access restrictions, which allowed employees to access company data on personal devices, and architectural decisions that merged personal and business vaults via a single master password. While preventing employee access from personal devices may not completely deter such attacks, it would have significantly mitigated their risk.

Initially proposing a fine of £2.6 million, the ICO adjusted the monetary penalty by 30% due to proactive measures taken by LastPass to improve security, which includes separating employee business and personal accounts and restricting personal device usage for corporate tasks. A LastPass spokesperson indicated that the company has actively collaborated with the ICO since the incident and acknowledged improvements made to their platform to bolster data security.