ICO Slaps Password Manager Firm with $1.6M Fine for 2022 Data Breach
The ICO fined password manager LastPass UK 1.2 million pounds ($1.6 million) for failures leading to a 2022 data breach that compromised the personal data of around 1.6 million U.K. users, it said Thursday. The company didn't immediately comment.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
LastPass lacked sufficiently robust technical and security measures, allowing a hacker to obtain unauthorized access to its backup data, the DPA said. There was no evidence that the hackers were able to unencrypt customer passwords, it added.
One incident occurred in August 2022 when a hacker gained access to the corporate laptop of a European-based employee and later breached a U.S. employee's personal laptop, the ICO said. The hacker then implanted malware that captured the U.S.-based employee's master password. With the combined details from the incidents, the hacker then accessed LastPass' backup database and captured personal data, including customer names, emails and phone numbers.
"Password managers are a safe, effective tool for businesses and people to manage their numerous log-in details," and the ICO encourages their use, said Information Commissioner John Edwards.
However, he warned, "it's clear" from this case that "businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced."
Organizations should ensure that internal security systems explicitly consider and address data breach risks, the office said. Where risks are identified, access should be limited to specific user groups, the DPA added.