LastPass hit with 1.2 million fine after 2022 data breach

The UK's Information Commissioner's Office issued a 1.2 million penalty to password management company LastPass' British subsidiary following a 2022 security breach, reports The Record, a news site by cybersecurity firm Recorded Future. According to the ICO, the company had "failed to implement sufficiently robust technical and security measures" to safeguard the information affected by the breach. In 2022, LastPass had been hit by a pair of intrusions that exposed the personal data of up to 1.6 million people in the UK. The first occurred in August, when a Europe-based employee's corporate laptop was targeted, allowing an attacker to pilfer certain source code and technical information from its development environment. According to the company, material taken in that initial intrusion was then used to carry out a second attack on the personal laptop of a senior engineer in the United States. During that follow-up incident, the hacker secured credentials and keys from the staff member, "which were used to access and decrypt some storage volumes within the cloud-based storage service." "We have been cooperating with the UK ICO since we first reported this incident to them back in 2022," explained a LastPass spokesperson.