ICO issue fine of £1.2m for UK GDPR failings
The ICO ended 2025 with the announcement in November that it had fined password manager provider LastPass UK Ltd £1.2 million for failing to implement appropriate technical and organisational security measures as required by the UK GDPR.
As is often the case, this fine was a long time coming and related to a personal data breach in 2022 which compromised the personal data of up to 1.6 million UK users (including customer names, email addresses and phone numbers). This fine highlights the risk of personnel using personal devices for work purposes (often called BYOD / bring your own device) with the ICO highlighting that the case shows the “real risks” that BYOD policies can introduce and the importance of building robust controls.
In this case, a hacker initially gained access to a corporate laptop of an employee allowing them to gain access to the company’s development environment and encrypted credentials for the company’s backup database. At this stage, no personal data was taken and LastPass took steps to mitigate the effect of the hacker’s actions. LastPass believed the relevant encryption keys remained safe, as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.
However, the hacker then gained access to a personal laptop of one of those four senior employees with access to the decryption keys who was in the US via a known vulnerability in a third-party app. The hacker was then able to install a keylogger which captured the employee’s master password and multi factor authentication was bypassed using a trusted device cookie. The hacker then gained access to the employee’s business and personal LastPass vaults which were linked using a single master password – the business vault contained the required access and decryption key.
Ultimately, the combined detail obtained by the hacker from the UK and US employees allowed it to access personal data on LastPass’ backup database and the ICO found that LastPass failed to implement sufficiently robust technical and security measures and highlighted weaknesses in security practices relating to device and account management. Importantly though, there was no evidence that the hacker was able to unencrypt customer passwords as these are stored locally on customers devices rather than by LastPass.
Two key issues were highlighted:
- LastPass allowed its personnel to use their own devices for work purposes.
- Staff were encouraged to link their employee and personal LastPass accounts, and could use one master password to unlock both.
The ICO have recommended 5 actions organisations should take if they allow staff to use personal devices for work purposes:
- Enforce multi‑factor authentication for all remote access.
- Separate work from personal (on both work and personal devices) using managed profiles or containers.
- Keep operating systems and security software up to date and promptly block outdated devices.
- Limit admin privileges and review access privileges regularly.
- Consider virtual desktop or remote app solutions for high‑risk roles
Where it’s possible, the ideal is to restrict business activities to secured business issued devices only. Those devices should have restrictions on unapproved apps and software and there should be a strict policy prohibiting cross use of business credentials for personal accounts / devices.
Want to read more:
