LastPass UK Ltd Penalty Notice 20 Nov 2025
By para [1] of his penalty notice dated 20 Nov 2025, the Information Commissioner for the United Kingdom ordered LastPass UK Ltd ("LastPass") to pay a penalty of £1,228,283 pursuant to s.155 (1) (a) of the Data Protection Act 2018 for infringing art 5 (1) (f) and art 32 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as amemded ("the UK GDPR").
The Obligation
Art 5 (1) (f) of the UK GDPR provides:
"Personal data shall be
................
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
Art 5 (2) further provides that the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1, a principle known as "accountability".
Art 32 (1) amplifies the above duty:
"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."
The Infringement
The Commissioner found that LastPass had infringed arts 5 (1) (f) and 32 (1) between 31 Dec 2021 and 31 Dec 2024 in failing to implement appropriate technical and organizational measures to ensure an appropriate level of security for the personal data for which the company was responsible, and the ongoing confidentiality and integrity of its processing systems and services.
The infringements resulted from allowing employees to access accounts from a personal device, where the latter contained the decryption keys required to access customers’ personal data and combine their personal and employee business accounts so that they could be accessed by a single master password. Because LastPass failed to implement and use appropriate technical and organizational measures, personal data relating to 1,631,410 customers in the UK were unlawfully accessed in two incidents during August 2022.
Enforcement
S.l55 (1) (a) of the Data Protection Act 2018 provides that the Commissioner may, by written notice, require that person to pay to the Commissioner an amount specified in the notice if he is satisfied that a person has failed to comply with any of the provisions of the UK GDPR specified in section 149 (2) of the Act.
Appeal
Para [228] of the penalty notice advised LastPass that it had a right of appeal against both the notice and the amount of the penalty to the First-tier Tribunal (General Regulatory Chamber) (Information Rights) to be exercised within 28 days of the date of the notice.
Civil Liability
In addition to the Information Commissioner's administrative sanctions, anyone who suffers material or non-material damage as a result of an infringement of the UK GDPR has a right to compensation from the controller for the damage suffered under art 82 (1) of the regulation (see Taking your case to court and claiming compensation on the ICO website).
Further Information
Anyone wishing to discuss this article may call me on 020 7404 5252 during UK office hours or send me a message through my contact form.
