Last updated 1 month ago
Password manager provider LastPass experienced a significant data breach in 2022, with the incident discovered in August 2022 and publicly disclosed in December 2022. The breach involved unauthorized access to customer vault data stored in cloud storage, compromising sensitive customer information including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses. The attack chain began with a compromised developer account that allowed threat actors to access the cloud storage environment containing customer data.
The UK Information Commissioner's Office (ICO) investigated the breach under the UK General Data Protection Regulation (UK GDPR) and determined LastPass failed to implement appropriate technical and organizational measures to protect customer data. The ICO imposed a £1.2 million fine, citing inadequate multi-factor authentication implementation and insufficient monitoring of developer account activity. The regulatory action focused on LastPass's failure to prevent unauthorized access to personal data through compromised credentials.
Compromised developer account leading to unauthorized access to cloud storage
This breach demonstrates critical failures in identity and access management controls for cloud environments, particularly the inadequate protection of developer accounts with access to sensitive customer data. The incident highlights the necessity of implementing robust multi-factor authentication and continuous monitoring for privileged accounts, even within technology companies specializing in security products. The regulatory fine emphasizes the legal consequences of insufficient technical safeguards under data protection regulations like UK GDPR.
Sign in to join the discussion.
Company
Industry
Location
Discovered
Disclosed
Records Affected
Attack Vector