On December 22, 2022, LastPass announced that a data breach first disclosed in August 2022 was far more extensive than initially thought. The news sent shockwaves through the industry, leaving many password manager users — especially LastPass users — concerned about the security of their sensitive information.

The breach serves as a stark reminder that no online service provider may be completely bulletproof breach-wise. So today, let’s get into the LastPass data breach and what it means for NordPass users.

The LastPass data breach breakdown

Cybercriminal activity has been on a steady rise for the last decade, and it looks that the trend is not about to change. In fact, today, cybercrime is the most lucrative criminal activity and is estimated to cost the world $10.5 trillion annually by 2025.

So as our personal and financial information is increasingly getting stored online, it is critical that companies take all necessary steps to protect their customers’ data. Unfortunately, the recent LastPass data breach shows that even well-known companies can fall short security-wise.

The company’s latest statement explains that an unauthorized party was able to access LastPass’ cloud-based storage environment and copy customer vault data along with information from a backup of customer account information.

The extent of the breach is not yet clear, but it is likely that it included some personally identifiable data such as email addresses, phone numbers, and billing information for some users.

The response from LastPass to the breach has been met with criticism from both industry experts and customers. In fact, it has already led to a class-action lawsuit, with one plaintiff alleging that the data breach resulted in the theft of around $53,000 worth of Bitcoin.

Did the LastPass data breach affect all password manager users?

Let’s be clear — the LastPass data breach does not have any direct effect on NordPass, its users, or users data.

After all, we’re two different companies and products with completely different security approaches and mindsets. However, we admit that seeing a competitor affected by a breach of this magnitude is an acute reminder to stay vigilant and prepared at all times.

Is NordPass a secure place for your digital valuables?

Given the severity of the LastPass data breach, it’s only natural that people are questioning the security of their password manager, including NordPass.

First, one of the key elements of NordPass is that it is a zero-knowledge password manager equipped with an advanced encryption algorithm known as XChaCha20 to ensure protection of everything you store in NordPass.

This means that all data stored in the NordPass vault is first encrypted on your device and only then sent to the cloud-based server. Because of the way NordPass is set up, it is only you — the user — who holds the decryption key and has access to everything stored in their vault.

The NordPass team can’t see or access anything. The same principle applies in situations of breaches. Even if a bad actor were able to get their hands on your vault data, they would still need your device, which holds the decryption key, to access the actual contents of the vault data.

NordPass CTO Tomas Smalakys offers a more detailed explanation:

Each NordPass user has a unique public-key cryptography key pair. The Public Key is always stored in plaintext form. The Private Key, on the other hand, exists in plaintext form only on the user’s end device for a limited period of time and never leaves it.

When we need to store a user’s Private Key, it’s encrypted with secret-key cryptography (XChaCha20-Poly1305-IETF) on the user’s device and only then passed to us. While the app is unlocked, the unencrypted Private Key is stored in the secure memory accessible only to the NordPass application. When the application is locked, either by the user or automatically after a set period of inactivity, the Private Key is deleted from the secure memory.

For the user’s Private Key encryption, the Master Key is used. The Master Key is derived from the Master Password and a 16-byte unique-per-user cryptographic salt using the key derivation function (Argon2id). We ask the user for the Master Password every time we need to decrypt the user’s Private Key.

 

– Tomas Smalakys

NordPass CTO

Tomas further explains that in addition to the encryption principles above, every item (folder, password, credit card, etc.) has two types of data:

• Metadata (title, website address, cardholder name, etc.)

• Secret data.

For secret-key (symmetric) cryptography, we use an authenticated encryption algorithm:

• XChaCha20 stream cipher encryption.

• Poly1305 MAC authentication.

For public-key (asymmetric) cryptography, we use an authenticated encryption algorithm:

• X25519 key exchange.

• XSalsa20 stream cipher encryption.

• Poly1305 MAC authentication.

User data is encrypted on their devices and never leaves the device in plain text. This means that when the data is in transit or at rest, it is fully encrypted. In the database, both metadata and secret data is encrypted. This means that if bad actors are able to get access to the database or any of its backups, no user data can be accessed.

Furthermore, at NordPass, we feel that due to the nature of our product, our security practices should be transparent. Both NordPass and NordPass Business have had their security posture thoroughly audited by Cure53, a renowned German auditing firm.

NordPass Business has also successfully passed the SOC 2 Type 1 Audit, which ensures that NordPass Business provides proper security controls to manage customer data and protect their interests with regard to privacy.

All these measures help to ensure that the sensitive data stored in NordPass vaults is protected at all times. However, these days bad actors are creative and no longer function as a one-person operation. So it’s always important to be vigilant with your own security and use strong, unique passwords for each account as well as enable two-factor authentication whenever possible.

Bottom line

It remains to be seen how the LastPass breach will impact the company and the password management industry as a whole, but one thing is clear: it has shaken user trust and serves as a cautionary tale for the importance of data security.

Designed to ensure the safety and security of an organization’s operations and protection of its customers, regulatory compliance standards are a fact of life in today’s business world. Fail to comply and be ready to face serious financial, legal, and reputational harm to your organization.

Today, we’re taking an in depth look at regulatory compliance, exploring different standards, and looking into how NordPass Business can help your organization meet the requirements in an easier and more efficient way.

What is regulatory compliance?

Regulatory compliance refers to various processes and procedures of adhering to the laws, regulations, and standards set by various governing bodies. The regulations can come from numerous sources such as local, state, federal, or even international agencies, industry groups, and professional associations. The intention behind various regulatory compliance is to protect consumers and other stakeholders.

Importance of regulatory compliance

The aim of regulatory compliance is to make sure that businesses and organizations operate in a secure, responsible, and ethical manner. Regulatory compliance can also provide businesses and organizations with a competitive advantage by helping to create a culture of transparency and credibility with customers, employees, and other involved parties. Furthermore, adhering to regulatory compliance can improve internal processes, risk management procedures, and mitigate potential legal issues, which in turn lays a great foundation for a sustainable organization.

However, it’s critical to remember that most regulatory compliance is mandatory. Failing to comply with any of the mandatory regulations can result in hefty fines. For instance, Google has been fined nearly $57 million by French regulators for violation of the General Data Protection Regulation (GDPR). Meta — the company formerly known as Facebook — recently has been fined over $400 million by top EU regulators for forcing users to accept targeted ads.

Besides financial losses, non-compliance can cause major damage to the organization’s reputation as clients may lose trust in the organization. This can even lead to serious legal issues.

Below are some of the most common regulatory compliance standards.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) is a US federal agency that develops technology, metrics, and standards to drive innovation and ensure operational security within a business environment. NIST compliance is mandatory for all US-based federal information systems except those related to national security. However, the standard can be adopted by any organization.

To be NIST-compliant, a company needs to implement access controls to limit the risk of unauthorized access, develop a comprehensive incident response plan, and devise audit procedures and schedules.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a data protection law that applies to businesses and organizations operating within the European Union (EU) and the European Economic Area (EEA). It sets out rules for how organizations can collect, use, and store personal data, and provides individuals the right to access and control their personal data.

To adhere to the GDPR, organizations and businesses need to implement measures such as obtaining consent from individuals before collecting their data, providing clear and concise information about their data collection practices, and implementing appropriate security measures to protect personal data.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets out standards for the protection of personal health information. The law applies to healthcare providers and all other entities that handle personal health information in the US.

To meet the requirements set out by the HIPAA, organizations need to implement secure systems for storing and transmitting personal health information, providing training to employees on HIPAA requirements, and implementing access controls to prevent unauthorized access to personal health information.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply internationally to organizations that handle credit card transactions. The regulatory standard sets out requirements for protecting cardholder data and preventing unauthorized access to such data.

The PCI DSS regulations require businesses and organizations that process payment card information to implement secure systems for storing and transmitting cardholder data, conduct regular security assessments, and implement further security controls to prevent unauthorized access to cardholder data.

ISO/IEC 27001

The ISO/IEC 27001 is an international standard that outlines best practices for an information security management system (ISMS). The standard has been developed to help organizations protect their information assets and manage risks related to information security. The ISO/IEC 27001 is not a mandatory requirement.

To meet the ISO/IEC 27001 compliance, organizations need to conduct regular risk assessments, implement controls to protect against unauthorized access, and regularly review and update their information security management systems.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a privacy law that in many ways mimics its European counterpart — the GDPR. However, the CCPA applies to businesses operating in California and it provides California residents with the right to access and control their personal data, and imposes certain requirements on businesses that collect and handle personal data.

For an organization to be CCPA compliant, it needs to implement security measures to protect customer data. Furthermore, companies are also required to provide clear and concise information about data collection practices, allowing California residents to request access to and deletion of their personal data.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a US law that applies to financial institutions within the US. Like many of the regulatory compliance standards we already discussed, GLBA requires financial institutions to implement safeguards that would protect personal information as well as to disclose their data collection and sharing practices to customers.

To comply with the GLBA regulatory standards, financial institutions may need to implement secure systems for storing and transmitting personal financial information, providing customers with information about their data collection and sharing practices, and implementing access controls to prevent unauthorized access to personal financial information.

Center for Internet Security (CIS)

The Center for Internet Security (CIS) is a nonprofit organization that provides cybersecurity guidance and best practices to help organizations protect their systems and data. The CIS comprises 18 Critical Security Controls for identifying and protecting against the most common cyber threats.

To be CIS compliant, companies and organizations need to establish a comprehensive cybersecurity perimeter to ensure protection of their data and information management systems.

Opinion 498

The Formal Opinion 498 outlined by the American Bar Association (ABA) provides guidance for US-based lawyers and law firms with regard to virtual practice. While the ABA Model Rules of Professional Conduct permit virtual practice, the Formal Opinion 498 provides an additional set of guidelines for virtual practice.

To follow the guidelines set out by the Opinion 498, organizations or individuals are urged to establish secure information management systems and protect them with complex passwords to ensure secure storage and access to client data.

Agence nationale de la sécurité des systèmes d’information (ANSSI)

ANSSI compliance combines a set of security standards set by the French National Cybersecurity Agency. The ANSSI has been developed as a regulatory standard in France to protect sensitive information and systems from cyber threats such as hacking, malware, and data breaches. Companies that store and handle sensitive information may be required to comply with the ANSSI standards in order to ensure the security of that information.

Compliance with the ANSSI standards may involve regular audits, penetration testing, and other security measures to identify and address vulnerabilities in a company’s systems.

How can NordPass help with regulatory compliance?

Meeting regulations and staying compliant can be a complex and time-consuming process, as businesses and organizations must stay up-to-date with the latest regulatory requirements and implement appropriate policies, procedures, and tools.

However, with the right tools at your disposal compliance can be less of a hassle than you might think. One such tool is NordPass Business — a secure and easy-to-use password manager designed for business use and it can help your organization comply with the security guidelines and requirements outlined in the regulatory compliance standards listed above. But how exactly can it help?

Strong passwords and secure password storage

Most regulatory compliance standards require organizations to implement some sort of security measures to limit the possibility of unauthorized access.

For instance, PCI DSS, GLBA, GDPR, and CIS Controls all have outlined guidelines for ensuring the security of personal data processing and storage.

This is where NordPass comes in as a tool that can help. Designed by the principles of zero-knowledge architecture and equipped with an advanced XChaCha20 encryption algorithm, NordPass offers a secure way to store and access business passwords and other sensitive information in line with regulatory requirements.

Password Policy — a NordPass Business feature — can also play a critical role in compliance. Using Password Policy, companies can set certain specifications for password complexity for the entire organization, which can significantly fortify the overall security of the organization.

To easily follow Password Policy rules and specifications, users can use our very own Password Generator — a tool that can generate a password adhering to all the specifications outlined in the Password Policy in just a few clicks.

On top of that, NordPass Business can ensure that all of your organization’s passwords are stored securely and in line with the regulatory requirements.

Secure access management

Some compliance standards require organizations to implement secure access management solutions. For example, this is the case with ANSSI compliance as well as with HIPAA and NIST.

Here NordPass Business and its Admin Panel can play a major role because it is designed to provide organizations a way to effectively and easily manage access privileges across the entire organization.

Via the Admin Panel, solution owners and admins can grant or revoke access to systems as well as monitor member activity within the organization. The Admin Panel is also the place where you can set the Password Policy for the organization, ensuring that passwords throughout the company adhere to certain specifications.

Breach Monitoring

Regulatory compliance standards also tend to outline best practices for responding to a security incident such as a data breach. This is explicitly outlined in the GDPR’s Article 33, which states that data breach including personal data breach should be reported within 72 hours to the supervisory authority. Failing to do so may result in a fine of 10 million or 2% of annual revenue.

NordPass Business is equipped with a Data Breach Scanner — a tool that can scan the entire company’s domain list for potential breaches. Because the Data Breach Scanner issues a notification to all members of the organization, the company potentially affected by a breach can act quickly and efficiently to contain it.

The NordPass Password Health tool can help you detect potentially weak, old, or reused passwords throughout the organization and significantly reduce the risk of unauthorized access.

Bottom line

These days, regulatory compliance is an inseparable part of running a business. Fail to comply and be ready to face hefty fines and serious reputational damage. However, compliance is never easy. But with the right tools at your disposal, the whole process can be a lot smoother.

NordPass Business can be a tool to assist organizations in meeting various requirements in an easier and more efficient way. By staying compliant, organizations can not only avoid costly fines and legal issues, but also gain a competitive advantage by building a culture of transparency and credibility with their customer base or investors.