A company which pledged to help people improve their online security has been battered by the Information Commissioner’s Office after enabling a hacker to steal personal information relating to 1.6 million UK customers.
The regulator found that password manager provider LastPass UK failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.
There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass but the company was still fined £1.2m as a result.
The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password.
The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs.
Information Commissioner John Edwards, whose office has been under increasing pressure to step up its enforcement, said: “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use.
“However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks.”
This is actually the fourth GDPR fine issued this year, following a £3.07m penalty to Advanced Computer Software Group for a ransomware attack, a £2.31m fine to 23andMe and a £14m penalty for Capita.
Related stories
Decision Marketing at 15: Puppy or vicious watchdog?
ICO slammed over ‘slap on the wrist’ for PO data breach
MPs urged to investigate ICO ‘collapse in enforcement’
Lawmakers urged to act on ‘severe’ failings of the ICO
Complaints to the ICO soar as performance takes a hit
The £161bn question: Will EU renew data transfer deal?
DMA claims Data Act victory as privacy groups seethe
ICO unveils business guidance as Data Act becomes law
Be the first to comment on "Password security firm hit for password security failings"