DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FINRA Imposes Fines Totaling $600,000 Against Lincoln Financial Securities and Lincoln Financial Advisors for Failure to Protect Confidential Customer Information

Posted on February 17, 2011 by Dissent

The Financial Industry Regulatory Authority (FINRA) announced today that it has imposed fines of $450,000 against Lincoln Financial Securities, Inc. (LFS) and $150,000 against an affiliated firm, Lincoln Financial Advisors Corporation (LFA), for failure to adequately protect non-public customer information. In addition, LFS failed to require brokers working remotely to install security application software on their own personal computers used to conduct the firm’s securities business.

Securities and Exchange Commission (SEC) and FINRA rules require every broker-dealer to adopt written policies and procedures that address safeguards for the protection of customer records and information. FINRA found that for extended periods of time – seven years for LFS and approximately two years for LFA – certain current and former employees were able to access customer account records through any Internet browser by using shared login credentials. From 2002 through 2009, between the two firms, more than 1 million customer account records were accessed through the use of shared user names and passwords. Since neither firm had policies or procedures to monitor the distribution of the shared user names and passwords, they were not able to track how many or which employees gained access to the site during this period of time. As a result of the weaknesses in access controls to the firms’ system, confidential customer records including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details were at risk.

The Web-based system both firms used combined non-public customer account information from various sources and allowed employees to view the customer account information within a single site. Home office personnel from both firms could access the system either by clicking on a link on the firm’s website or could gain access through any Internet browser by going directly to the system’s website and logging in with one of the shared user names and passwords.

FINRA also found that LFS and LFA did not have procedures to disable or change the shared user names and passwords on a recurring basis even after a home office employee had been terminated. Many individuals left the two firms during the relevant time period, yet the shared user names and passwords were never changed, and the firms had no way of determining whether former employees continued to access confidential customer information using those same user names and passwords.

In assessing sanctions, FINRA took into consideration the firms’ efforts to notify all customers whose account information was or had been potentially exposed on the firms’ Web-based system, and offered those customers credit monitoring and restoration services for a period of one year.

In settling these matters, LFS, based in Concord, New Hampshire, and LFA, based in Fort Wayne, Indiana, neither admitted nor denied the charges, but consented to the entry of FINRA’s findings.

This action was brought by Kevin Kulling, Enforcement Senior Regional Counsel, under the supervision of Mark Koerner, Enforcement Regional Chief Counsel.

Investors can obtain more information about, and the disciplinary record of, any FINRA-registered broker or brokerage firm by using FINRA’s BrokerCheck. FINRA makes BrokerCheck available at no charge. In 2010, members of the public used this service to conduct 17.2 million reviews of broker or firm records. Investors can access BrokerCheck at www.finra.org/brokercheck or by calling (800) 289-9999.

FINRA, the Financial Industry Regulatory Authority, is the largest non-governmental regulator for all securities firms doing business in the United States. FINRA is dedicated to investor protection and market integrity through effective and efficient regulation and complementary compliance and technology-based services. FINRA touches virtually every aspect of the securities business – from registering and educating all industry participants to examining securities firms, writing and enforcing rules and the federal securities laws, informing and educating the investing public, providing trade reporting and other industry utilities, and administering the largest dispute resolution forum for investors and registered firms. For more information, please visit www.finra.org.

Source: FINRA

Note that this action is related to previous coverage on this blog.

No related posts.

Category: Breach IncidentsFinancial SectorOf Note

Post navigation

← (follow-up) FL: 5th suspect held in ID-theft ring targeting Holy Cross patients
AU: Crackdown on telco privacy after Vodafone bungle →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.