London: One of the world’s most widely used password managers, LastPass, has been fined approximately ₹13 crore (£1.2 million) by the United Kingdom’s data protection watchdog after a data breach exposed the personal information of nearly 1.6 million users. The penalty was imposed by the Information Commissioner’s Office (ICO), which concluded that the company failed to implement adequate cybersecurity safeguards, enabling hackers to access a critical backup database.
In its enforcement order, the ICO stated that LastPass did not have “sufficiently robust technical and organisational security measures” in place. The regulator said the breach undermined the trust of users who rely on the platform to safeguard sensitive digital credentials and identity information.
2022 Breach, Regulatory Action in 2025
The case traces back to a cyber incident disclosed by LastPass in 2022, when the company admitted that an unauthorised third party had accessed parts of its infrastructure. At the time, LastPass reassured users that master passwords were not compromised, encryption remained intact, and there was no evidence of direct password exposure.
However, the ICO’s investigation found that attackers had accessed backup data stored via a third-party cloud service. According to the regulator, stronger risk assessments, supplier oversight, and continuous monitoring could have prevented the breach.
The watchdog concluded that deficiencies in security governance, technical controls, and vendor risk managementsignificantly contributed to the incident, leaving the data of more than 1.6 million UK users at potential risk.
‘Failure to Protect Customers’
In a strongly worded assessment, the ICO said the breach reflected systemic shortcomings rather than a one-off technical failure. It noted that a company whose core business revolves around digital security is expected to operate at the highest standards of cyber resilience.
While investigators found no evidence that master passwords were decrypted, the ICO stressed that unauthorised access to backup databases is itself a serious violation, as such data can be exploited over time for identity theft, phishing, and targeted cyberattacks.
Why Password Managers Still Matter
Cybersecurity experts caution users against abandoning password managers altogether following such incidents. Specialists argue that without password management tools, users often reuse weak passwords across multiple platforms, dramatically increasing exposure to cybercrime.
This concern has gained renewed attention after the US Federal Bureau of Investigation (FBI) recently disclosed the existence of a database containing over 63 crore stolen passwords, sourced from dark web markets, encrypted messaging platforms, and malware logs. The revelation underscores the scale of global credential theft.
Experts maintain that, despite risks, password managers remain safer than unmanaged credentials, provided providers adhere to strict security and governance standards.
Warning for the Cybersecurity Industry
Industry analysts say the ₹13 crore fine sends a clear message to the broader cybersecurity sector. Modern breaches, they argue, often arise not from weak encryption, but from governance gaps, inadequate internal controls, and third-party vulnerabilities.
The LastPass case highlights that cybersecurity failures are increasingly organisational in nature, requiring constant oversight, accountability, and risk management beyond technical safeguards alone.
LastPass Responds
Responding to the ICO’s decision, LastPass said it has cooperated fully with the regulator since first reporting the incident in 2022. While expressing disappointment over the penalty, the company noted that the ICO acknowledged corrective measures already implemented.
LastPass said it has strengthened monitoring systems, enhanced supplier risk frameworks, and deployed additional security controls. The company reiterated its commitment to protecting more than 100,000 businesses and millions of individual users worldwide.
The case serves as a stark reminder that in an era of digital dependence, trust is the most valuable currency in cybersecurity — and the cost of losing it can be enormous.
