The UK’s Information Commissioner’s Office (ICO) has fined LastPass UK Ltd £1.2 million for a 2022 data breach that exposed personal details of up to 1.6 million users across the country. The recently announced penalty is as a result of the Commission’s findings of the security company’s failures in adhering to best security practices, which allowed for attackers to steal sensitive data.
Although core password vaults remained encrypted during the attack itself, this enforcement action by the ICO still highlights regulators’ commitment to holding credential management companies accountable for infrastructure and operational security failings, regardless of encryption strength.
The compromised data lost to the attackers’ breach included customer names, email addresses, billing addresses, partial credit card numbers, website URLs, and the technical parameters of each user’s encryption settings.
While the attackers did not decrypt customer password vaults during the exfiltration itself – thanks to LastPass’ “zero-knowledge” encryption architecture where master passwords remain stored locally on user devices – the stolen encrypted vault backups eventually became subject to offline brute-force attacks in the months following the initial breach.
LastPass suffered a Two-Incident Attack Chain
The initial breach occurred in a two-incident attack chain that consisted of two coordinated attacks that if it had happened in isolation, it would have been insufficient for the attackers to achieve full compromise.
Incident 1
The attacker first compromised a European-based employee’s corporate laptop and exfiltrated source code repositories, technical documentation, and a cryptographically protected SSE-C (Server-Side Encryption with Customer-Provided Keys) key that helped secure the backup database.
Importantly, the attacker did not obtain the decryption key itself, only the encrypted version. However, if at this stage, LastPass’ security architecture had prevented escalation, the second incident (Incident 2) wouldn’t have succeeded.
Incident 2
A day after Incident 1, the threat actor then targeted a senior-level employee, who was one of the employees who had full access to the decryption keys. The attacker exploited an unpatched critical vulnerability through a media server running on the employee’s personal device, installed a keystroke logger to capture their master password, and then bypassed multi-factor authentication using a trusted device cookie.
This allowed for the attacker to gain access to the employee’s LastPass account, navigating from one vault to the other to retrieve AWS credentials and the decryption key. With access to the decryption key, the threat actor exfiltrated the entire backup database containing encrypted user vaults, alongside unencrypted customer details such as names, email addresses, billing information, partial credit card numbers, associated website URLs, and even the specific encryption parameters applied to each user’s vault.
Regulatory Findings: ICO identifies fundamental failures in LastPass’ security governance and response
During the ICO’s investigation period, they identified three critical failures of LastPass’ system, which includes;
- Inadequate device security governance: LastPass allowed senior employees with privileged access to use personal devices for accessing business accounts without sufficient endpoint protection, network segmentation, or monitoring. This directly violated basic Bring Your Own Device (BYOD) guidance from the UK’s National Cyber Security Centre (NCSC).
- Master password architecture risk: The company permitted Personal and Employee Business accounts to be linked under a single master password, which enabled lateral movement once one account was compromised. This architectural choice conflated authentication contexts and eliminated compartmentalization as a defensive boundary.
- Incident response failures: Detection mechanisms further failed as AWS GuardDuty alerts triggered on October 15 and 22 went unnoticed due to misconfigured notification lists and internal communication breakdowns, leaving the security operations center in the dark until early November in 2022. This lack of adequate operational oversight directly contravened UK GDPR Articles 5(1)(f) on data integrity and confidentiality alongside Article 32(1) that mandates appropriate technical and organizational measures.
It is important to note that the ICO found no evidence that encrypted passwords and vault credentials were decrypted by the attacker during the active breach phase. However, the £1.2 million fine was issued on LastPass’s failure to implement appropriate technical and organizational security measures as predicated by regulatory bodies.
Since the breach in 2022, LastPass has implemented significant security enhancements post-breach, including prohibition of linked Personal/Employee Business accounts in May 2023, mandatory number matching for multi-factor authentication, enhanced logging and alerting, and deployment of additional security platforms such as CrowdStrike for endpoint protection, CyberArk for privileged access management, Zscaler for cloud security, Qualys for vulnerability management, and GitGuardian for secrets scanning.
