LastPass UK Ltd
- Date 20 November 2025
- Type Monetary penalties
- Sector Online technology and telecoms
£1,228,283 penalty issued to password management provider LastPass UK Ltd on 20 November 2025 in respect of infringements of Article 5(1)(f) and Article 32(1)(f) UK GDPR. LastPass' failure to implement appropriate technical and organisational security measures allowed a threat actor to exfiltrate personal data relating to approximately 1.6 million UK customers from its backup database. However, due to LastPass' "zero knowledge" encryption system, the most sensitive personal data stored in LastPass customers' password vaults remained encrypted at all times, even after exfiltration by the threat actor.