All organisations that process personal data recognise the risk of data breaches. But do they have suitable cybersecurity measures to stop an attack? Simple technology hygiene measures can make or break an organisation’s cyber resilience and ultimately, compliance with the GDPR.

The ICO has underlined the need for strong yet simple technology hygiene by issuing a significant £1.2 million fine to LastPass UK Ltd, following the data breach it suffered in 2022. 

The facts of the breach

LastPass operates a password management service for individuals and businesses. The service allows users to store a vault of encrypted passwords for different websites, auto-fill logins using those encrypted passwords, generate strong passwords and provide additional multi-factor authentication against illegal or unauthorised entry to a customer’s accounts. It suffered two data breaches in which the personal data of over 1.6 million UK users was exposed. The first attack revealed how LastPass encrypts customer data, exposing source code for the system and details of LastPass’s processes. The second attack used information from the first attack to target a security vulnerability in the personal computer of a senior development operations engineer with access to the Master Password, which encrypted customer personal data and was using this computer to connect to the LastPass network. After infecting the Senior Engineer’s computer with a key logger, the attacker successfully gained enough information to access the data set for nearly three months. 

Whilst unencrypted passwords were not immediately exposed, significant volumes of personal data, source code and knowledge about LastPass’ systems have not hindered the responsible hackers, who have since stolen millions of pounds in cryptocurrency and are still using the data to hack other systems nearly three years after the attack. It is also theoretically possible that the attackers could decrypt every password they obtained in the data breach. 

The ICO’s findings

In breach of Article 5(1) and Article 32(1) of the UK GDPR, the ICO found that LastPass had failed to implement appropriate technical and organisational measures to ensure customer data could not be processed unlawfully, without authorisation, or otherwise mishandled. This included permitting employees to access business account vaults on personal devices, thereby encouraging employees to link personal and employee business accounts under a single master password.  All of these contravened the ICO and National Centre for Cyber-Security (NCSC) guidance and led the ICO to issue a financial sanction.

Lessons learned

It is ironic (but sadly, unsurprising) that a service promoting cybersecurity to its customers is, itself, not secure from cyberattacks.  In particular, this incident highlights the need for organisations to:

• clearly set out cybersecurity measures to all staff, your expectation for all staff to comply with the measures, and how individuals can ensure they comply with your measures (especially if you make changes) through ongoing training;
• understand the relative strengths and weaknesses in cybersecurity policies, especially if you operate a ‘bring your own device’ (BYOD) policy, given the significant additional risks BYOD presents to organisations; and
• ensure that your organisation’s cyber security measures are routinely reviewed and stress-tested (whether through penetration tests or other resilience assessments), particularly in relation to users with privileged access credentials, so that you can understand your organisation’s strengths and weaknesses against different risks.

How we can help

Anthony Collins can assist in designing policies and governance mechanisms to enforce good digital hygiene across all levels of an organisation.  This includes:

• Developing data compliance policies which incorporate ICO guidance and industry best practice, to work for your organisation and customers.
• Drafting and negotiating supplier contracts to ensure compliance and optimal cyber security measures are in place, no matter what role you play in processing stakeholder data.
• Training relevant staff in completing and managing Legitimate Interest and Data Protection Impact Assessments to justify processing personal data.
• Drafting governance and audit provisions to ensure data protection policies are enforceable and directors know how to react in a crisis.
• Advising on how to manage data breaches and interactions with the Information Commissioner’s Office.

If you would like to discuss your data and technology hygiene policies, please contact Ben Pumphrey, head of data governance.