The UK’s Information Commissioner’s Office (ICO) says LastPass must cough up £1.2 million ($1.6 million) after its two-part 2022 data breach compromised information from up to 1.6 million UK users.
Information Commissioner John Edwards said: "Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
"LastPass customers had a right to expect the personal information they entrusted to the company …
The UK’s Information Commissioner’s Office (ICO) says LastPass must cough up £1.2 million ($1.6 million) after its two-part 2022 data breach compromised information from up to 1.6 million UK users.
Information Commissioner John Edwards said: "Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
"LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today."
Edwards also stated that all UK businesses should be aware of the fine and take their own steps to ensure that they are protecting customer data.
The first of two security failures occurred when an attacker compromised a company software developer’s work-issued MacBook Pro, accessed the corporate development environment and related technical documentation, and exfiltrated 14 out of around 200 LastPass source code repositories.
The attacker was caught after triggering an AWS security alert after they tried to manipulate access management commands that the software developer’s account did not have permission to alter.
A postmortem of the incident was unable to pinpoint how the MacBook was compromised as the attack coincided with a scheduled macOS upgrade and the attacker also employed anti-forensics techniques throughout.
The stolen source code contained unencrypted company credentials and encrypted credentials used for production capabilities, including data backup, the ICO’s monetary penalty notice (MPN) [PDF] stated.
It also contained the server-side encryption with customer-provided key (SSE-C) used to secure AWS S3 buckets used for production database backups. The attacker was able to acquire this key, but it remained in encrypted form. They couldn’t use it at this stage, although that changed later, and customer information was unaffected at this time.
The second incident took place a day later, on August 12, 2022, and was the more impactful of the two. It involved the compromise of a personal desktop PC belonging to a US-based senior DevOps engineer – one of four individuals who had access to the decryption key for the SSE-C.
The ICO stated that the attacker gained remote access to this PC by exploiting CVE-2020-5741 (7.2), a vulnerability in Plex Media Server, installed a keylogger used to steal the engineer’s master password, and a session cookie they later used to bypass MFA.
The attacker used this access to acquire the LastPass AWS access key and decryption key, which together with the SSE-C key could be used to download the company’s backup database.
Customers’ personal data such as names, emails, phone numbers, and stored website URLs were stolen, although there is still no evidence to suggest their passwords were ever decrypted.
Among the stolen data were more than 1.6 million email addresses and IP addresses, 248,407 telephone numbers, 159,809 names, and 118,103 physical addresses.
The MPN stated that LastPass initially thought the SSE-C key was safe after the first attack because of the fact that its decryption key was protected by the four senior security staffers’ vaults.
Even after rotating credentials following the first attack on August 18, it did not occur to LastPass that the SSE-C key would be compromised after the attacker stole the decryption key on August 20.
The ICO said it issued the fine because LastPass "failed to implement sufficiently robust technical and security measures."
There were also organizational measures that the regulator believed should have reasonably been taken at the time.
- Care leavers mired in red tape trying to get their own records
- Home Office kept police facial recognition flaws to itself, UK data watchdog fumes
- London councils probe cyber incident as shared IT systems knocked offline
- Calls grow for inquiry into UK data watchdog after MoD leak
One of the major factors that played into this was LastPass’s policy at the time of the attacks that allowed, and actively encouraged, senior staff to link their personal and business accounts, so both could be accessed using the same master password. This included staff who had access to sensitive corporate data.
This meant that, when the DevOps engineer’s desktop was pwned via a Plex bug, the master password used for their personal accounts also granted the attacker the power to gain access to LastPass company secrets.
Another organizational snafu led to the attack remaining undetected for months.
AWS detected unusual activity – attempts to perform actions not typically carried out by the devops engineer’s account – and sent GuardDuty alerts to the LastPass distribution list between October 15 and 22, 2022.
These were not picked up by LastPass’s security operations center (SOC) until November 2 because of a failure in the company’s transition away from its former parent, GoTo.
The cloud infrastructure email distribution list AWS had on file contained only one LastPass staffer, its director of software development engineering, and the rest was comprised of GoTo employees.
This outdated distro list and miscommunication between the two teams, old and new, meant that the AWS notifications didn’t reach their intended destination until 18 days after the first was sent.
The ICO’s decision to fine LastPass instead of imposing lesser punishments such as reprimands or enforcement notices hinged largely on its permissive attitude toward personal device usage and linking personal and business accounts.
It stated in the MPN that, while these issues alone may not have prevented the second attack from taking place, having separate master passwords for personal and business vaults would have offered a necessary added layer of security between the attacker and decryption key.
The commissioner also noted that it had to hold the company to a higher standard of care given the line of business in which it operates, and the testimony from affected customers about the distress the attack caused.
The Register contacted LastPass for more information, including whether it plans to appeal the fine. ®