GBInformation Commissioner's Office01 November 2025Inadequate security measures

LastPass UK Ltd

LastPass UK Ltd fined by ICO £1,200,000 for security shortcomings.

GBP£1,200,000

Country: GB
Authority: Information Commissioner's Office
Type: Inadequate security measures
Imposed: 01 November 2025
Added to register: 09 June 2026

Summary

In November 2025, the Information Commissioner’s Office imposed a monetary penalty of about £1.2 million on LastPass UK Ltd. The sanction concerned security and governance failures that led to a breach affecting around 1.6 million UK users, despite the use of strong encryption.

Grounds for the decision

Inadequate security measures under the UK GDPR, including weak device controls and privileged access governance.