UK Fines LastPass for Major Data Breach Impacting 1.6 Million Users
The UK Information Commissioner's Office (ICO) has fined LastPass £1.2 million ($1.6 million) following a significant data breach in 2022 that compromised the personal information of up to 1.6 million UK users. The breach occurred in two stages: initially, an attacker compromised a company developer's work-issued laptop, exfiltrating source code and technical documentation, including unencrypted and encrypted credentials. This access was later leveraged to target a senior engineer's personal laptop, allowing the attacker to obtain credentials and keys used to access and decrypt storage volumes within LastPass's cloud-based storage service. The ICO determined that LastPass failed to implement sufficiently robust technical and security measures to protect customer data, leading to the substantial penalty.
Although the attackers obtained encrypted versions of sensitive data, including website names and passwords, the ICO noted there was no evidence that customer passwords were decrypted, as these are stored locally on user devices. However, security experts have raised concerns about the potential for brute-force attacks on the stolen vaults, with reports linking the breach to cryptocurrency thefts. The ICO emphasized the importance of strong security practices for password management services and urged all UK businesses to take steps to protect customer data in light of this incident.
Related Entities
Sources
1 more from sources like ico org
Related Stories
Capita Fined for Security Failings in Massive Data Breach Affecting 6.6 Million Individuals
The UK Information Commissioner's Office (ICO) imposed a record £14 million fine on Capita, the country's largest outsourcing company, following a major cyberattack in 2023 that compromised the personal data of 6.6 million people. The penalty was split between Capita plc (£8 million) and Capita Pension Solutions Limited (£6 million), reflecting the widespread impact across both the parent company and its pension subsidiary. The breach affected 325 out of more than 600 organizations that rely on Capita’s services, exposing sensitive information such as bank and credit card details, biometric data, passport information, login credentials, and even child data. For some individuals, the stolen data included details of criminal records, financial information, and other special category data. The ICO’s investigation found that Capita failed to implement adequate technical and organizational measures to secure personal data, leaving it vulnerable to attack and unable to respond effectively when the breach occurred. The attack began when a malicious JavaScript file was downloaded onto an employee’s device on March 22, 2023, but the compromised device was not quarantined for 58 hours, allowing attackers to access and exfiltrate data. Capita initially claimed there was no evidence of data compromise, but subsequent findings contradicted this, revealing the extent of the breach. The ICO originally considered a much higher fine of £45 million, but reduced the amount after Capita demonstrated improvements in security, provided support to victims, and cooperated with authorities including the National Cyber Security Centre. The breach led to significant anxiety and stress among affected individuals, with some reporting financial losses. Despite the incident, Capita continued to secure substantial government contracts, with 241 contracts worth £6 billion awarded since the breach. The ICO emphasized that no organization is too large to be held accountable for data protection failures and highlighted the importance of proactive cybersecurity measures. The fine represents approximately 12 percent of Capita’s 2024 post-tax profits, underscoring the financial and reputational consequences of inadequate data security. The incident serves as a stark reminder to all organizations of the critical need to safeguard personal data and maintain robust incident response capabilities.
5 months ago
Password Manager Security and Trust: Bitwarden ‘Cupid Vault’ Launch and LastPass Post-Breach Rebuild
Bitwarden launched **‘Cupid Vault’**, a feature aimed at safer credential sharing by letting free-tier users create a two-person shared vault as an *Organization* and invite a trusted person via email. The shared vault is **isolated** from the user’s personal vault, supports revocation of access, and includes a **fingerprint phrase** verification step intended to reduce adversary-in-the-middle enrollment risks; both members can edit or delete items in the shared collection. LastPass’s CEO described the company’s ongoing effort to rebuild trust and security culture following the **2022 intrusions**, which began with access to parts of the development environment via a **compromised developer account** and theft of source code/technical data. LastPass said information from that initial compromise enabled subsequent access to customer-related data, including **customer account metadata** (e.g., names, billing addresses, emails, phone numbers, IP addresses) and a **backup copy of encrypted customer vault data**, framing the incident as a catalyst for significant security program changes.
1 months ago
Nexpublica France Fined for Inadequate Security After Data Breach
France’s data protection authority, CNIL, imposed a €1.7 million ($2 million) fine on the software company Nexpublica France following a data breach that exposed sensitive documents of third parties through a company portal. The breach, reported in November 2022, allowed users to access documents belonging to other individuals, prompting an investigation by CNIL, which found that Nexpublica’s data security program was insufficient and failed to meet basic security standards. The regulator cited several aggravating factors in determining the fine, including Nexpublica’s lack of awareness of fundamental security principles, the number of people affected, the sensitivity of the exposed data, and the company’s financial capacity. CNIL also noted that Nexpublica was aware of the security issues prior to the breach but did not take corrective action until after the incident, constituting a violation of the General Data Protection Regulation (GDPR).
2 months ago