What the LastPass Breach Tells Us About Compliance in 2026

By Phil Muncaster • 17 February 2026

The GDPR was always meant to be vague. By not listing prescriptive technical controls – as, for example, PCI DSS does – the regulation does a better job of staying relevant over time. Yet its principle of “technology neutrality” can also be a source of frustration to compliance teams. For more pragmatic guidance, many turn to best practice standards like ISO 27001:2022, which promotes a structured, risk-led approach to cybersecurity.

Yet as data breaches at LastPass and other organisations have shown, it’s not a panacea – especially if teams don’t approach compliance with a mindset of continuous review and improvement.

What Happened to LastPass?

The 2022 LastPass breach is thought to have exposed the details of around 30 million global customers, including 1.6 million in the UK. By any standard, it was a fairly sophisticated attack, which featured two distinct phases:

A threat actor compromised a software engineer’s laptop, which gave them access to an SSE-C key. They could theoretically have used this to access backups of customer data, including encrypted password vaults. However, the key was encrypted, and full access to the database also required a second AWS access key.
A threat actor was able to exploit a vulnerability in the Plex video streaming service which had been downloaded to the personal laptop of a senior development operations engineer. This enabled them to install a keylogger and subsequently decrypt the SSE-C key and get hold of the AWS access key. That opened the door to those encrypted password vaults.

Because master passwords to these vaults were stored locally on customer devices and never shared with LastPass, they should have been safe. But poor implementation of the PBKDF2 algorithm meant countless passwords were brute forced in the years since the breach, leading to an estimated $35m in cryptocurrency theft.

What the ICO Said

The Information Commissioner’s Office (ICO) fined LastPass £1.2m for its “failure to implement and use appropriate technical and organisational measures, contrary to Article 5(1)(f) UK GDPR and Article 32(1).” Specifically, the firm allowed senior engineers to use personal laptops to access production keys, it allowed employees to link personal and business vaults with the same master password, and it failed to rotate AWS keys after the first incident.

Yet the regulator acknowledged that compliance with ISO 27001:2022 should have meant the company followed ICO own guidance on securing home working devices and segregating personal and business devices/accounts. It clearly didn’t.

“LastPass is not an outlier. Our recent research found that more than a quarter (26%) of privacy professionals believe their organisation is likely to experience a material privacy breach within the next year. This level of risk is fast becoming the norm,” ISACA chief global strategy officer, Chris Dimitriadis, tells IO (formerly ISMS.online).

“Compliance with standards such as ISO 27001 is essential – but it is only the starting point. The LastPass breach underlines a hard truth: privacy and data protection cannot be reduced to box-ticking. Organisations must move beyond minimal compliance towards enterprise-wide capability and maturity assessments.”

Moving with the Times

LastPass isn’t the first and certainly won’t be the last company to suffer a serious breach despite technically being certified with best practice standards. Other notable cases include:

23andMe: The DNA testing firm was fined £2.3m by the ICO after a breach impacting millions of customers. It failed to mandate multi-factor authentication (MFA) for users, had insufficient monitoring for unusual activity, and enabled threat actors to abuse an internal feature (DNA Relatives) to access more accounts than they should have been able to
Interserve Group: The outsourcer was fined £4.4m after a breach of employee data. Despite the intrusion being flagged by the firm’s endpoint protection tooling, it failed to investigate

Cases like this don’t highlight the shortcomings of standards like ISO 27001. They prove that many organisations still aren’t approaching compliance programmes with the right mindset.

“While ISO 27001, SOC 2 and other standards are an excellent and time-tested baseline to assess corporate information security, they are not – and have never been – designed as a guarantee that a company is unhackable or that 100% of policies or procedures are properly followed,” explains ImmuniWeb CEO, Ilia Kolochenko.

“Moreover, even if all policies and procedures are duly followed, it does not mean or imply that the underlying processes are technically flawless.”

Dennis Martin, crisis management and business resilience specialist at technology services firm Axians UK, adds that standards-based compliance is only helpful when leaders insist controls work in practice.

“Security measures must be tested, validated, and challenged regularly. Assumptions and documented processes are no substitute for evidence. A ‘don’t trust, test’ mindset is essential if organisations want confidence in their security posture,” he tells IO (formerly ISMS.online).

“Effective compliance is continuous. Threats evolve, business operations change, and controls degrade over time. Regular review and improvement are necessary to ensure that what is written down still reflects reality.”

Continuous Improvement

In fact, ISO 27001:2022 “explicitly recognises” that security must not stand still, Oleria VP of security, Didier Vandenbroeck, tells IO.

“A core principle of the standard is continual improvement, with auditors expected to raise opportunities for improvement where controls may be technically compliant but no longer appropriate to the evolving threat landscape,” he explains.

“When certification becomes a tick-box exercise, that principle is lost. Certificates are ultimately meaningless if organisations do not follow them in practice or fail to challenge whether existing controls still make sense given how people actually work and how attackers operate.”

IO CPO, Sam Peters, agrees.

“This is why frameworks and standards are most effective when treated as living management systems, effectively operating models for managing cyber risk, rather than static compliance milestones,” he tells IO.

“The principle of continuous improvement, embedded through regular review, challenge and adaptation, has been central to our approach at IO since inception and reflects what regulators increasingly expect to see in practice. Used in this way, frameworks provide a durable foundation for organisations to manage cyber risk in an environment of constant change, rather than a snapshot of compliance at a single point in time.”

Such an approach is particularly important for managing GDPR risk at a time when regulators are placing an ever-greater emphasis on context.

“Regulators are very clearly signalling that ‘appropriate technical and organisational measures’ should be understood as contextual and evolving, rather than fixed or static. What is deemed appropriate will vary depending on factors such as risk exposure, data sensitivity and the threat landscape, and is increasingly being assessed after an incident has occurred,” he concludes.

“In practice, this means regulators are less interested in whether a framework has been adopted, and more focused on how effectively it is being used to identify, review and manage information security risk over time.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.