On Thursday, Dec. 22., as Americans prepared for the holidays and braced for massive winter storms, the password manager LastPass announced to its 33 million customers that it suffered a major security breach.
But even those paying attention to emails or tech news may not have grasped the full scope of the breach, which exposed encrypted password vaults and put millions of individuals and organizations at risk of having their most sensitive data exposed to criminal hackers.
Based on the public notification from LastPass, the potential implications of the incident were anything but clear. Security experts immediately criticized LastPass’s announcement as misleading and difficult to understand. The company’s announcement seemed to imply that it would be difficult for the attacker to decrypt stolen passwords, but that would very much depend on a given user’s master password.
As is so often the case in the aftermath of a major data breach, users were left to figure out exactly what happened and what to do about it — with very little guidance from the company to whom they had entrusted their most sensitive data.
When major data breaches occur, companies in the U.S. are typically required under state law to report it and notify users (though this depends on the details of the breach), but that breach notification regime, experts say, has become so convoluted that consumers are often left in the lurch.
The U.S. famously does not have a federal privacy law — something that might determine the rights of consumers to know their personal data has been stolen. What it has instead are 50 different state laws governing breach notification. When a company realizes its systems have been breached and data inappropriately accessed, it must examine the affected users state by state and determine whether the data stolen and belonging to them qualifies for notification under each user’s state data-breach notification regime.
“It’s really messy,” says Chris Frascella, who studies consumer privacy at the Electronic Privacy Information Center, a nonprofit research group. “What you’re required to report in Alabama may not be something that you have to report in Connecticut.”
Because many technology companies are based in California or collect significant amounts of data on the state’s residents, this means they often must adhere to California’s fairly strong privacy law, and when this standard is more rigorous than in other states, companies will implement the California law across the board, Frascella added.
But to illustrate the complicated scenario facing companies, “some states may have specific requirements that are either more rigorous than California or standards that are mutually exclusive with California’s and when that happens the company would be forced to tailor its obligations by state,” Frascella said.
Beyond its difficult-to-parse post announcing the breach, LastPass has stayed silent regarding what exactly transpired on its systems. The company did not respond to a list of detailed questions from CyberScoop about the state of its investigation and whether it had begun notifying users directly. Based on communications LastPass sent to some affected customers and obtained by CyberScoop, the company has informed some customers directly about the breach, but these notices have included few details to help customers understand the implications of the breach.
Under the United States’ fractured data breach notification regime, the company’s public statement may satisfy its notification requirements, Frascella said. But that depends on the details of what was compromised — something the company is loath to disclose to its users and the public as it sorts through exactly what happened.
Against the backdrop of widespread breaches of personal data, the use of a password manager represents a foundational component of improving security for ordinary consumers — but that also creates a juicy target for hackers looking to obtain passwords to a large number of accounts to enable other attacks.
Companies trying to deal with these types of complex data breaches face difficult trade-offs between trying to determine the scope of a breach and notifying users publicly.
“There is a tension between: Do you go out very quickly and disclose a breach knowing that there is a lot of uncertain or inaccurate information? Or do you wait and learn more and have more certainty?” said Samir Jain, the vice president of policy at the advocacy group Center for Democracy and Technology.
In the case of the breach LastPass disclosed in December, one breach appears to have led to another. According to the company, “an unknown threat actor” accessed a cloud-based storage environment “leveraging information” that was, in turn, stolen from a breach disclosed in August.
Unraveling that sequence of events clearly poses a challenge to the company, but the dynamic nature of these investigations doesn’t obviate from the to “at some point to disclose guidance to customers as to what they should do in light of what has happened,” Jain said.
In its guidance to users, LastPass has emphasized that while the attacker was able to steal encrypted password data, this data could not be decrypted without access to the master password, which only the user is in possession of. So long as a user picked a strong master password, the company claims, an attacker probably won’t be able to decrypt the stolen passwords — running a brute force attack to do so would simply take too long.
With that guidance, the company is effectively placing the onus on consumers to maintain the integrity of their passwords — when the consumer had been relying on LastPass to do so in the first place.
Under the state-by-state breach notification regime in the U.S., whether data was encrypted plays an important role in triggering or avoiding disclosure to the consumer. If stolen data is encrypted, companies will often be exempted from disclosing the breach under state law.
This exception represents a major weakness that consumers are unlikely to be aware of, Frascella argues: “Just because it can’t be cracked now doesn’t mean it can’t be cracked later.”
Other types of unencrypted data can be important to cybercriminals but may not require companies to disclose a breach to regulators and consumers. Data considered personal — like which website a user an account with, for example — could increase the “likelihood of being targeted by phishing attempts or other attempts at account compromise,” Frascella said. But disclosure regimes tend not to address that risk.
Against this backdrop, policymakers in Washington are attempting to step up their breach notification requirements, but these efforts are at an early stage.
As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the owners and operators of critical infrastructure will soon have to report cyber incidents and ransomware payments to the Department of Homeland Security. DHS is currently in the process of writing rules governing these disclosures, but it is important to note that these requirements are focused on critical infrastructure, rather than consumer goods.
Over at the Securities and Exchange Commission, policymakers have proposed requiring publicly traded companies to report in public filings breaches considered to be material to investors — but what amounts to a “material” breach is a matter of some debate.
The Federal Trade Commission is also stepping up its efforts to push companies to implement better security practices and do a better job of notifying consumers when they are affected by a data breach.
In the aftermath of the Log4j vulnerability, the FTC warned companies that they are obligated to patch the vulnerability and could be sued by the agency if they don’t — the latest step by the agency to flex its authority over cybersecurity regulations. In March, the agency took action against CafePress, suing the company for its inadequate response to a data breach, including its failure to promptly notify affected consumers.
Until companies begin putting more resources toward data security and realize that they may face FTC action for failing to build secure systems, the FTC appears to recognize that breaches will remain a fact of life — and even offers businesses a sample letter to send consumers informing them their data has been stolen.