Skip to main content
Home

Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK

  • Date 11 December 2025
  • Type News
  • Service which promises to help people improve their security, has failed them, leaving them vulnerable 
  • Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer 
  • ‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted   

We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. 

The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. 

John Edwards, UK Information Commissioner, said: 

“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. 

“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”. 

Details of the two incidents 

Incident one

  • A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
  • No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
  • LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.

Incident two

  • The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
  • A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
  • The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
  • The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
  • This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.

Our investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass. 

Advice and guidance

We urge organisations to ensure internal security policies explicitly consider and address data breach risks. Where risks are identified access should be restricted to specific user groups.

Businesses wishing to review their procedures should turn to our and the National Cyber Security Centre websites which provide a rich source of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance.

Read the full monetary penalty notice here.

 

Notes to editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.