The Information Commissioner’s Office has fined password manager provider LastPass UK £1.2m following a 2022 data breach that compromised the personal information of up to 1.6m of its UK users.

LastPass was found to have failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. The ICO said there was no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.

The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs.

John Edwards, UK Information Commissioner, said: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks.”

---