The UK’s Information Commissioner’s Office (ICO) has fined password manager LastPass £1.2 million after a two-part security breach in 2022 compromised information for up to 1.6 million UK users. Information Commissioner John Edwards said password managers remain a useful tool but firms must restrict system access and reduce the risk of attack.
The ICO’s monetary penalty notice details two related incidents in August 2022. In the first, an attacker compromised a developer’s work MacBook Pro, accessed the corporate development environment and exfiltrated 14 of about 200 source code repositories; an AWS security alert helped catch the intruder.
A second, more severe incident on August 12, 2022, involved compromise of a US-based senior DevOps engineer’s personal desktop. The attacker installed a keylogger, stole the engineer’s master password and a session cookie, bypassed multifactor authentication and obtained an AWS access key and a decryption key that, together with an SSE-C key, allowed download of the company’s backup database.
Customer data taken included names, emails, IP addresses, telephone numbers and physical addresses; the ICO recorded more than 1.6 million email and IP addresses, 248,407 telephone numbers, 159,809 names and 118,103 physical addresses. The regulator noted there is still no evidence that customers’ vault passwords were decrypted.
The ICO found LastPass fell short on technical and organisational measures. Investigators flagged that senior staff were permitted and encouraged to link personal and business accounts using the same master password, and that AWS GuardDuty alerts sent between October 15 and 22, 2022, were not acted on until November 2 because of an outdated distribution list during LastPass’s transition away from its former parent, GoTo.
The ICO said it had to hold LastPass to a higher standard given its business and the distress reported by affected customers.