ICO issues £1.2m GDPR fine to password manager provider LastPass

The Information Commissioner's Office (ICO) has issued a £1.2 million monetary penalty to password manager provider LastPass UK Ltd following an August 2022 personal data breach that compromised the personal information of up to 1.6 million of its UK users. 

An investigation revealed that LastPass lacked sufficient technical and security safeguards, allowing a hacker to access its backup database. The breach occurred after the hacker first infiltrated a corporate laptop belonging to a European employee and later a personal laptop belonging to a US employee, capturing the employee's master password via malware. The breach resulted in the theft of personal data, including customer names, email addresses, phone numbers, and stored website URLs. However, investigations confirmed that hackers could not decrypt customer passwords, which were protected by a zero-knowledge encryption system that kept master passwords on individual devices rather than with LastPass.

The ICO concluded that LastPass had violated Articles 5(1)(f) and 32(1)(f) of the UK General Data Protection Regulation (GDPR).

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.