LastPass Breach – The danger of metadata

When an organisation suffers a data breach it’s usually bad. When an organisation that stores 25 million people’s passwords that’s really bad.

There are multiple risks here at play.

Firstly, when we give people our data, it’s our risk and our choice. I’m ok with that, I chose to give lastPass my data.

My vault data might be gone, but I have a strong master password, how we interpreted the theft of the basically cryptographic materials is a bit like when we full disk encrypt a drive.

If you lose a laptop that’s got FDE do you report this as a data loss to the ICO? Or do you say, it’s encrypted so actually I haven’t lost the data per say, I’ve just lost a random (ish) bunch of 0s an 1s so I don’t count that as an incident? I’m not here to be judge or jury.

Read more “LastPass Breach – The danger of metadata” →