Password Manager Must Pay 1.2M Pounds
The British data regulator imposed a fine of 1.2 million pounds against password manager LastPass over a 2022 data breach that exposed the data of millions of its customers.
See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective
Unidentified hackers stole backup data from LastPass’s Amazon Web Services S3 bucket. Among the exposed data were email and IP addresses of 1.6 million British accounts, as well as names and phone numbers of thousands of LastPass customers.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today,” Information Commissioner John Edwards. The fine amounts to $1.6 million.
Analysis by Information Commissioner’s Office found an initial compromise took place on Aug. 11, 2022, after attackers compromised a MacBook Pro laptop used by a LastPass software developer and accessed the development environment, which does not contain customer personal data. At the time, hackers stole source code enabling them to obtain an encryption key used to secure data stored in AWS servers – but the company concluded that it didn’t need to rotate the key since the corresponding decryption key and a separate AWS access key were separately stored.
A day later, hackers broke into the desktop personal computer of another LastPass developer, using a known flaw in the Plex streaming media server. Hackers installed a keylogger – and thereafter, things got worse for the company. The second hacked developer was one of four employees who had access to the decryption key and the AWS access key, which, when combined with the stolen encryption key taken during the first hack, gave hackers access to the LastPass AWS server. That’s where they found a backup database of customer accounts.
LastPass says hackers did not access user passwords or secure notes due to a security feature called “zero knowledge architecture,” under which only users can access the keys to their vault. The hackers were still able to retrieve customer names, billing addresses, email addresses, telephone numbers and IP addresses.
The ICO attributed the hack to two main security flaws: inadequate access limitations that allowed LastPass employees to log into their business vaults from personal devices, and design features that linked personal and business vaults under a single master password.
Stopping employees from accessing business accounts on personal devices would not have completely eliminated the possibility of the hacking incident from occurring, but it “would have significantly reduced the risk,” the regulator said.
The ICO initially proposed a fine of 2.6 million pounds but cut the sum by 30% in light of preventive measures taken by LastPass. These include preventing employees from linking LastPass employee business and personal accounts and prohibiting the use of personal devices for corporate activity.
A LastPass spokesperson said the company has been cooperating with the ICO since 2022. “We are pleased to see that the ICO’s decision has recognized many of the efforts we have already taken to further strengthen our platform and enhance our data security measures,” the spokesperson said.