Old data breaches never die. Especially when regulators shine a light on them. Last month, the UK’s Information Commissioner’s Office (ICO) put a 2022 incident at password management company LastPass back in the news cycle, after fining it £1.2m for GDPR infringements.
Excerpt from: AI Autopsy: Why the ICO fined LastPass £1.2m
Although LastPass subsequently changed its policy, at the time of the incident, it allowed employees to link their LastPass business and personal accounts, meaning that both could be accessed with the same master password.
This was a key gap in the firm’s security posture, says Wolfgang Goerlich. “The LastPass incident shows that logical separation without trust separation is a security flaw,” he tells Assured Intelligence. “We must separate personal, daily professional, and privileged activities. That separation begins with credential stores and extends into accounts, profiles and computing hardware.”
LastPass’s failure to mandate this at the time enabled the attacker to access the decryption key in the engineer’s Employee Business Vault, thereby decrypting the SSE-C key. It also got them the AWS access key. With those assets in hand, the attacker could access the AWS backups.
The ICO’s penalty notice specifically cites the failure to mandate the separation of personal and business accounts, particularly for senior executives who were high-profile targets.
Read the full article: https://assured.co.uk/2026/ai-autopsy-why-the-ico-fined-lastpass-1-2m/
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.