- It is common for organizations to hold off on issuing data breach notices until there is less media attention or focus from consumers. This was the case with the Five Guys, Twitter and LastPass data breaches.
- The LastPass data breach generated the most attention. Two days before Christmas, the company announced that cybercriminals had gained access to customer information using the information stolen in August.
- LastPass has not acknowledged how many accounts or individuals were compromised in the attack. All three breached organizations issued data breach notices lacking actionable information, a trend the Identity Theft Resource Center (ITRC) continues to see.
- The ITRC will publish our 17th Annual Data Breach Report on January 25 and present the findings at a public policy conference in Washington, D.C. You can register to attend virtually at our website idtheftcenter.org/events.
- To learn about data compromises like the LastPass data breach, consumers and businesses should visit the ITRC’s improved data breach tracking tool, notified.
- If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.
LastPass the Breach Notice
Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 13, 2023. This is the first episode of our fourth season. Thanks for joining us for another year. Each week, we look at the most recent events and trends related to data security and privacy. All was quiet when we left the data breach ranch before the holidays. We were on a glide path to end 2022 with a significant drop in data breach victims and a far cry from the record-breaking pace of compromises from 2021. Then came December with major data events like the LastPass data breach.
Large Number of Breaches Reported in December
As is often the case at the end of the year, some organizations hold off issuing data breach notices until there is less media attention or focus from consumers. Increasingly, even when there is a breach notice, there is less information shared in the alert. Here are three examples:
- Fast-food chain Five Guys announced that threat actors had infiltrated the company’s application system in September, stealing undisclosed personal information on an undisclosed number of people. Five Guys did not reveal what steps have been taken to ensure a repeat of the breach does not occur.
- Shortly after that, security researchers revealed that information on 221 million users of Twitter was for sale in an illicit identity marketplace where identity thieves buy, sell and share stolen and scraped personal information. Twitter did not issue a notice of a compromise at all.
- However, an 11th-hour company blog from a popular password manager garnered the most attention. In August, LastPass revealed that cybercriminals gained access to source code and software development information stored by the popular service. At the time, LastPass said that the thieves had not accessed customer information.
LastPass Data Breach Notice Lacks Information
In a statement on its website two business days before Christmas, LastPass announced that cybercriminals had gained access to customer information using the information stolen in August. LastPass has not acknowledged how many accounts or individuals were compromised in the attack.
Cybersecurity experts have criticized the company for lack of transparency and confusing messaging about the LastPass data breach. Many long-time supporters of LastPass are publicly calling on consumers to move away from the service in favor of competitive products.
Data Breach Notices Lacking Information is Becoming a Trend
All three of these last-minute notices are just the latest example of a trend the ITRC has been watching develop for the past year: a distinct lack of actionable information about what happened to cause a breach, who was impacted and what’s being done to prevent a repeat performance.
If you use LastPass for your personal password manager, we recommend you evaluate your relationship and consider using a competitive product or use the highly effective password manager built into modern browsers like Safari, Firefox, DuckDuckGo, Chrome or Edge. If you are a business user, ask your IT leaders if LastPass is still a good fit for your company.
ITRC to Release 2022 Annual Data Breach Report
Speaking of data breach trends, the ITRC will publish our 17th Annual Data Breach Report on January 25 and present the findings at a public policy conference we’re co-hosting in Washington, D.C., with the Better Identity Coalition (BIC). You can register to attend virtually at our website www.idtheftcenter.org/events.
Contact the ITRC
If you want to know more about how to protect your personal information or if you think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.
We will be back next week with another episode of the Weekly Breach Breakdown.