What Happened

In December 2025 the UK Information Commissioner’s Office (ICO) announced a £1.2 million fine against LastPass UK Ltd after a 2022 data breach that affected the personal information of up to 1.6 million UK users.

The breach occurred through two linked security incidents in August 2022. Attackers first compromised an employee’s corporate laptop and gained access to LastPass’ internal development environment. Encrypted company credentials were taken in that incident. Shortly afterwards, the attacker then breached a senior employee’s personal device using malware and captured their master password. This second breach gave the attacker access to LastPass’ backup database containing customer data such as names, email addresses, phone numbers and stored website URLs.

The ICO found that LastPass did not have sufficiently robust technical and organisational security measures in place to prevent this unauthorised access, leading to the data compromise.

What Was Exposed and What Wasn’t

Importantly, the ICO’s investigation found no evidence that hackers were able to decrypt customer passwords or other highly sensitive credential data stored in users’ vaults. This is because LastPass uses a “zero knowledge” encryption system, meaning master passwords and vault contents are encrypted and stored on customers’ devices, not on LastPass’ servers.

Nonetheless, the breach still exposed personal information, and the ICO has confirmed that the fine reflects a failure to implement appropriate security controls under UK GDPR.

Key Lessons for Businesses

The ICO’s action serves as a reminder that even technology vendors with a security focus must maintain strong internal security practices. Key points for organisations to consider include:

• Ensuring strict access controls for internal systems and sensitive environments.
• Avoiding the use of personal devices for work systems whenever possible and enforcing separation between personal and corporate access.
• Regularly reviewing and testing security policies and technical safeguards to protect against malware and credential compromise.

The ICO continues to encourage businesses to use guidance from the ICO and the National Cyber Security Centre to assess and strengthen their security posture.

Strengthen Your Own IT Security

A fine of this size highlights that even established providers can fall short when internal controls are not fully effective. We recommend that local businesses review their own technology and security arrangements to make sure they are not exposed to similar risks.

If you would like assistance assessing your IT security, identifying vulnerabilities, or improving your data protection measures, please contact us for expert advice and support.

Source:
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/