UK Fines LastPass £1.2 Million Over 2022 Data Breach
▼ Summary
– LastPass was fined £1.2m by the UK’s ICO for security failings that led to a major 2022 data breach affecting an estimated 1.6 million users.
– The breach compromised personal information like customer names, emails, and stored website URLs, but the ICO states there is no indication encrypted passwords were decrypted.
– The breach occurred through a multi-stage attack where a hacker compromised an employee’s device, stole credentials, and ultimately accessed a backup database containing customer data.
– The ICO and security experts emphasize that while password managers are recommended, providers must implement robust security measures and manage risks from backups and third-party services.
– Key lessons highlighted include the need for strong security frameworks, clear staff policies on device use, and vigilance regarding supply chain and third-party application risks.
The UK’s data protection authority has imposed a £1.2 million fine on LastPass for security failures that enabled a significant data breach in 2022. The Information Commissioner’s Office determined that the popular password manager did not implement adequate technical and organizational measures to protect its users’ data. While the regulator noted there is no evidence that attackers managed to decrypt stored passwords, the incident compromised personal details for an estimated 1.6 million individuals. This information included customer names, email addresses, phone numbers, and the URLs of websites stored within user vaults.
Information Commissioner John Edwards emphasized that the ICO still advocates for the use of password managers by both businesses and consumers to bolster security. “However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced,” he stated. Edwards further clarified that users had a reasonable expectation that their entrusted personal data would be safeguarded, a standard LastPass failed to meet, leading to the substantial penalty.
The breach unfolded through a multi-stage attack. Initially, a threat actor compromised a corporate laptop belonging to a LastPass employee. This provided access to the company’s development environment and allowed the theft of encrypted corporate credentials for a backup database. LastPass operated under the assumption that the corresponding encryption keys were secure in a separate location. This assumption proved fatal when the same hacker later targeted a senior engineer who possessed those decryption keys.
The attacker compromised the engineer’s device by exploiting a known vulnerability in a third-party media streaming application. A keylogger was installed, which captured the employee’s master password. The hacker then bypassed multi-factor authentication using a stolen trusted device cookie. Gaining access to the employee’s personal and business LastPass vaults, which were linked under the same master password, the attacker located critical Amazon Web Services access and decryption keys within the business vault. Combining these keys with the previously stolen encrypted credentials allowed the complete extraction of the backup database’s contents.
Security experts point to crucial lessons from this incident. Chris Linnell, an associate director of data privacy at Bridewell, noted that security must extend beyond the core product itself. “You need strong information security and privacy frameworks in place, and you can’t ignore the less obvious risks – backups, secondary databases, and other systems that attackers often target,” he explained. The breach also underscores the importance of robust internal policies. Linnell highlighted the need for clear acceptable use policies for company devices, as the initial vulnerability stemmed from a third-party application. This serves as a stark reminder of the persistent and significant risks present within technology supply chains.
(Source: Info Security)
