A vulnerability in the portfolio information system for broker-dealer subsidiaries of Lincoln National Corporation potentially exposed the records of 1,200,000 people, 18,900 of whom are New Hampshire residents.
By letter dated January 4, attorneys for Lincoln Financial Securities Corporation and Lincoln Financial Advisors notified the New Hampshire Attorney General’s Office that although an outside forensic review found no reason to believe that client data were actually accessed or misused, information such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances, and in some cases, dates of birth and email addresses had been potentially exposed. The affected system is not used to transfer funds or effect trades.
Lincoln first became aware of the problem on August 17, when it was notified by FINRA, the Financial Industry Regulatory Agency, that someone had contacted them with a username/password combination that gave access to the portfolio information system. The user/pass had reportedly been shared among various employees of LFS and employees of affiliated companies, in violation of LNC’s policies. FINRA declined to inform LNC as to whether the provider of the user/pass was a current employee, but when FINRA investigated, they discovered that LFA was also using a shared user/pass.
LNC’s investigation subsequently determined that there were six shared user/password combinations, going back as early as 2002.
This is a serious breach of policy but one that is very hard to control. I do security audits for professional firms that handle personal information and I unfortunately find this type of password sharing going on. Lincoln National should take strong action to stop this kind of behavior.
Cybercrime Fighter
http://www.guidemarksecurity.com
I don’t enough about FINRA to know if FINRA can take action/penalize for poor security like this where there is no evidence of actual access or misuse outside of the organization. Anyone know?
If this firm takes credit cards they are going to be in a wold of hurt when VISA gets done with them. If they passed their PCI audit, their QSA will be in the same boat.