When the Password Manager Fails at Passwords: The £1.2 Million LastPass Lesson

Written By Noel Bradford

Pull up a chair. We need to talk about LastPass.

The ICO just handed LastPass a £1,228,283 penalty notice, and if you're running a UK small business using password managers (and you bloody well should be), this one's worth your attention. Not because LastPass is evil. Not because password managers are dangerous. But because this case perfectly illustrates how even companies built on security can cock it up spectacularly when they ignore basic principles.

What Actually Happened

Between August and September 2022, someone nicked data belonging to 1.6 million UK LastPass customers. Email addresses, IP addresses, names, phone numbers, physical addresses. The lot.

The ICO investigated for nearly three years. Their conclusion? LastPass failed Article 5(1)(f) and Article 32(1) of UK GDPR. Translation: they didn't implement appropriate technical and organisational measures to keep customer data secure.

Here's where it gets interesting for you as a small business owner.

The Technical Bit (Simplified)

LastPass encrypts your vault contents with what they call "zero knowledge" architecture. Your master password never leaves your device. Nobody at LastPass can see inside your vault. This bit actually worked. The encrypted vault data the attacker grabbed is still encrypted and useless without your master password.

Good news, right? Yes. But that's not where LastPass messed up.

They failed in two catastrophically stupid ways:

Mistake One: Personal Devices for Corporate Access

LastPass allowed senior employees (the ones with access to highly confidential corporate credentials) to access their company LastPass accounts from personal computers. Not managed corporate laptops. Personal devices. With whatever sketchy software these folks had installed for personal use.

One senior development engineer used his personal computer to access his work LastPass vault. That same computer had an outdated version of Plex media server installed. You know, for streaming films at home.

The attacker exploited a known vulnerability in that Plex software, installed a keylogger, and captured everything the engineer typed. Including his LastPass master password.

Mistake Two: Linked Accounts

LastPass actually encouraged employees to link their personal and business LastPass accounts. One master password for both. Convenient, right?

Catastrophically stupid.

When the attacker got that master password, they accessed both accounts. The business account contained the decryption keys needed to access LastPass's backup database. The one with all those customer details.

The ICO's View

The ICO was blunt. They said LastPass should have:

  1. Restricted access to corporate vaults to company-managed devices only

  2. Prohibited linking of personal and business accounts

  3. Known better, given their business is literally password security

The ICO noted that their own guidance (and NCSC guidance) explicitly warns against allowing corporate data access via personal devices through web browsers. "There are no technical controls that you can reliably enforce to prevent data loss," says the NCSC.

LastPass had ISO 27001 certification. They had MFA. They had various security measures in place. But they ignored the fundamentals.

What This Means for Your Business

Right. Let's bring this home to your 15-person company in Watford.

You're not LastPass. You don't have 1.6 million customers. But the principles apply exactly the same way.

If you let employees access corporate systems from personal devices:

Your employee's home laptop might have their kid's dodgy Minecraft mods installed. Their partner's questionable browser extensions. That "free PDF converter" they downloaded last month. Any of these could be the entry point.

You can't control what's on personal devices. Full stop.

If you let employees use the same password for personal and business accounts:

You've just turned one compromised password into two compromised systems. Convenience kills security. Every single time.

The Budget-Conscious Approach

Here's the bit where I don't tell you to spend £50,000 on enterprise MDM solutions.

For most small businesses, fixing this costs less than your monthly coffee budget:

  1. Separate Work and Personal - Different passwords for business and personal accounts. Not linked. Ever.

  2. Company Devices - You don't need fancy kit. A refurbished Lenovo ThinkPad for £400 beats any personal device for business use. Lock it down. Only approved software. Use the Microsoft 365 family controls you're already paying for.

  3. MFA Properly - Not SMS. Not emails. Hardware keys (YubiKey costs £25) or authenticator apps. The ICO specifically noted LastPass had MFA but it wasn't enough because the attacker grabbed a "trusted device cookie."

  4. Clear Policies - Write down what's allowed and what isn't. "Personal devices for business access: No. Business devices for personal use: No." Simple.

This isn't enterprise-level security. This is basic hygiene. LastPass failed basic hygiene.

The Irony Hurts

A password manager company got fined for password security failures. Let that sink in.

They weren't hacked because their encryption was weak. They were hacked because an engineer accessed corporate systems from a personal computer with vulnerable software installed.

After 40 years in this business (Intel, Disney, BBC, the lot), I've seen this pattern repeatedly. Technical security is brilliant. Human processes are rubbish. The threat doesn't break the encryption. They go around it.

What LastPass Did After

Credit where due: LastPass fixed it. Eventually.

They now:

  • Require company-owned devices for all employees

  • Prohibit business activity on personal devices

  • Banned linking of business and personal accounts

  • Implemented hardware authentication keys

  • Added web filtering to block non-approved sites on corporate devices

They spent three years and presumably serious money fixing what should never have been broken in the first place.

The Practical Action Plan

If you're using LastPass (or any password manager) for your business:

This Week:

  1. Check if your team can access their business vault from personal devices. If yes, stop it.

  2. Find out if anyone has linked personal and business accounts. Unlink them.

  3. Verify your business plan actually gives you the admin controls you need.

This Month:

  1. Write a simple policy: Work devices for work. Personal devices for personal stuff.

  2. If you don't have work devices, start budgeting for them. Refurbished kit is fine.

  3. Make sure your business LastPass account (or alternative) is properly separated from personal use.

This Quarter:

  1. Review who has access to what in your password manager.

  2. Implement hardware keys or proper MFA for business accounts.

  3. Document your bring-your-own-device policy (hint: it should be "don't").

The Uncomfortable Truth

Small businesses face the same threats as FTSE 100 companies. The attackers don't care about your turnover. They care about what they can steal or extort.

LastPass had millions in revenue. Professional security teams. Industry certifications. They still got it wrong because they let convenience trump security.

You don't have millions in revenue or professional security teams. But you can learn from their £1.2 million mistake without paying the price yourself.

Good security doesn't have to be expensive. But stupidity always is.

The separation of work and personal costs nothing except a bit of discipline. Company-owned devices cost a few hundred pounds per person. Proper policies cost an afternoon to write and five minutes to explain.

LastPass learned this lesson the expensive way. Learn it from their mistake instead.

The Bottom Line

Password managers are still brilliant tools. You should still use them. But use them properly.

Don't access corporate systems from personal devices. Don't link work and personal accounts. Don't assume that because you're small, the threat ignores you.

The ICO made it clear: if you handle customer data, you're responsible for securing it properly. Size doesn't matter. Revenue doesn't matter. "We didn't know" doesn't matter.

What matters is whether you've implemented appropriate technical and organisational measures to keep data secure. For most small businesses, that's far simpler than you think.

Separate work from personal. Use company-managed devices. Implement proper MFA. Write clear policies.

LastPass proved you can have all the fancy encryption in the world and still fail if you ignore the basics.

Don't be LastPass.

The ICO penalty notice is 88 pages of technical detail. If you want to read the full thing, it's publicly available on the ICO website. If you'd rather have a chat about what this means for your specific business, you know where to find me.

Disclaimer: This represents my personal views based on 40 years in IT security, not those of any employer or client. The ICO penalty notice is publicly available for anyone who wants to verify the facts.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Opinion: IoT Security Is Security Theatre Until We Make Default Passwords Illegal
Next

The 5-Step IoT Device Audit: Find and Secure Every Forgotten Computer on Your Network (Copy)