On 20 November 2025, the ICO fined Last Pass UK Ltd. (Last Pass) £1.23 million in relation to a data breach which occurred when a hacker unlawfully accessed and exfiltrated personal data.
The hacker compromised an employee’s laptop gaining access to encrypted company credentials. Last Pass investigated and considered the encryption keys were safe and so the hacker could not use the information. In a separate incident the hacker then targeted a senior employee’s personal device (who had access to the decryption key) through a vulnerability in a third party streaming service. A key logger was installed which captured the employee’s master password and eventually allowed the hacker to access the back up database – giving access to personal data (although not to passwords themselves which were further protected).
Last Pass was deemed to have failed to take appropriate measures to secure personal data in:
- Allowing senior employees to access vaults which contained highly confidential information via the internet from unmanaged personal devices
- Allowing employees to link personal and business accounts with one password
Hackers are getting better and better at exploiting weaknesses in security practices and it is essential to ensure every step in your process has been risk assessed and stress tested. Allowing employees to use personal devices for business purposes is something which needs to be considered very carefully with appropriate security measures in place, backed up with clear policies and procedures to ensure personal data is appropriately protected.
The fine can be found here.
