«
»

LastPass Smacked Down In The UK For Being Pwned

The UK ICO has fined LastPass £1.2 million following a 2022 breach that exposed personal data and encrypted password vaults belonging to up to 1.6 million UK users. Regulators found the incident stemmed from a chain of failures, beginning with the compromise of an employee’s personal device and escalating through reused credentials, third-party software vulnerabilities, and stolen cloud access keys. While LastPass’ zero-knowledge encryption remained intact, attackers were able to exfiltrate encrypted vaults and sensitive metadata, highlighting how human and personal-device risks can undermine even well-designed security architectures. The ruling reinforces regulators’ growing focus on executive access, remote work exposure, and the need to secure the human attack surface.

If you want to know more, this will help: UK fines LastPass over 2022 data breach impacting 1.6 million users

Chris Pierson, CEO, BlackCloak had this to say:

     “This case is a clear reminder that today’s most damaging breaches often begin far outside traditional enterprise controls. Attackers did not defeat encryption or zero-knowledge architecture head-on; they targeted a trusted individual, exploited a personal device, and patiently chained together small gaps until they reached high-value access. For executives and privileged users, personal and professional digital lives are inseparable, and adversaries know it. Controls within the enterprise remain critical, but they must be paired with the continuous protection of personal devices, privacy enhancements, and home network protection. Organizations that fail to secure the digital attack surface for key persons and executives in their personal lives are effectively leaving the back door open to attacks.”

The LastPass incidents (as they’ve been pwned multiple times) illustrate how important it is for organizations to close the holes that lead to this sort of thing happening. And if organizations won’t do this by default, then they need to be punished until they get the message.

This entry was posted on December 12, 2025 at 1:29 pm and is filed under Commentary with tags , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “LastPass Smacked Down In The UK For Being Pwned”

  1. LastPass Responds To The UK Smacking Them Down Because They Were Pwned | The IT Nerd Says:
    December 19, 2025 at 1:00 pm

    […] might recall that the UK government served up a £1.2 million fine to LastPass because they got pwned. That fine hasn’t gone over well with LastPass. And I say that because […]

    Reply

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading