The ICO’s case against password manager provider LastPass UK Ltd shows that even companies built around security can fail to protect data.
The company was fined £1.2 million following a 2022 breach affecting up to 1.6 million UK users. While this looks like another cybersecurity incident, this wasn’t a failure of sophisticated encryption. It was a failure of basic controls.
Two incidents, one major breach
What makes this case especially interesting is how the breach unfolded. It wasn’t a single catastrophic failure, but rather a chain of smaller, preventable weaknesses.
A hacker first gained access to a LastPass employee’s corporate laptop. This allowed access to the company’s development environment and encrypted credentials linked to its backup systems.
At this stage, no personal data was accessed. LastPass acted quickly and believed the situation was contained. Crucially, the encryption keys needed to unlock the backup data were stored separately, in the vaults of four senior employees.
So far, this looks like a near miss. The real breach came next.
The attacker targeted one of those senior employees not through corporate systems, but via their personal laptop. Exploiting a known vulnerability in a third-party application, the hacker installed malware and captured the employee’s master password using a keylogger. Multi-factor authentication was effectively bypassed using a trusted device mechanism.
Worse still, the employee’s personal and business password vaults were linked, accessible through a single master password.
That single point of failure gave the attacker everything they needed:
- access to the decryption keys
- access to corporate systems
- the ability to combine data from both incidents
The result? The attacker accessed LastPass’ backup database and extracted customer data, including names, email addresses, phone numbers, and website URLs.
LastPass got some things right…
LastPass’ core encryption model did hold up. The company uses a “zero knowledge” system, meaning customer passwords are stored locally on user devices and were not decrypted in this attack. That’s a significant technical safeguard and it worked.
But GDPR compliance isn’t just about encryption. The ICO found that LastPass failed to implement appropriate technical and organisational measures overall. Essentially, strong encryption couldn’t compensate for weak operational security.
The key failures
This case highlights several critical missteps:
Over-reliance on BYOD (Bring Your Own Device): Allowing employees, even senior ones, to access sensitive systems from personal devices dramatically increased risk. These devices are harder to control, patch, and monitor.
Blurring the line between personal and professional use: Encouraging (or even allowing) employees to link personal and business password vaults created a dangerous overlap. One compromised password unlocked everything.
Weak device and access controls: The breach exposed gaps in device security standards, monitoring of vulnerabilities, control over trusted devices and privilege and access management.
Failure to anticipate attack chaining: Each incident alone may not have caused a major breach. But together, they created a pathway. The organisation failed to consider how multiple smaller vulnerabilities could be combined.
Why this matters
This fine is not just about LastPass. It’s a warning from the ICO to every UK organisation.
In 2025 alone, multiple GDPR fines were issued for cybersecurity failures, showing a consistent regulatory focus. The focus is on weak internal controls, poor access management and inadequate risk assessment. These are no longer technical issues. They are compliance failures.
John Edwards, the Information Commissioner, noted that customers had a right to expect their data would be kept safe and the company fell short.
Security is about people, not just technology
The breach didn’t happen because encryption failed. It happened because people, devices, and policies weren’t properly controlled. For many UK businesses, the same risks exist today:
- staff using personal laptops for work
- shared or reused credentials
- poor separation between personal and business accounts
- overly broad access privileges
These are everyday practices and they are exactly where regulators are now focusing.
What UK businesses should do now
The ICO has outlined practical steps organisations should take:
- enforce multi-factor authentication across all remote access
- separate work and personal environments (even on the same device)
- ensure systems and software are always up to date
- limit and regularly review access privileges
- consider virtual desktops or controlled environments for high-risk roles
Where possible, restrict business activity to company-issued, secured devices only.
Convenience vs control
The LastPass case is ultimately about a trade-off many organisations make, often without realising it. There is the convenience of using your own device, linking your accounts and accessing everything easily. And there is the need for control, which means managed devices, segregated systems and strict access policies.
LastPass leaned too far toward convenience and paid the price. If your security depends on individuals doing the right thing on unmanaged devices, it’s not strong enough. It’s time to review your policies before the ICO does it for you.
Our 10-step guide to data protection outlines the essential actions organisations should take to build and maintain a robust data protection framework. It turns complex legal requirements into a clear, practical roadmap you can use to assess your current approach and strengthen your policies, controls and practices. Get it here.
