Programming vulnerability exposes retiree data

Share this article:
A database programming error exposed the personal information of tens of thousands of retirement plan enrollees at investment planning firm Lincoln Financial Group.

How many victims? 91,763.

What type of personal information? Names and Social Security numbers.

What happened? The issue involved a sensitive database maintained by affiliates The Lincoln National Life Insurance Co. and Lincoln Life & Annuity Co. of New York.  

Due to a programming weakness affecting the database search function, administrators were able to view information about individuals not part their plan. Consequently, if an administrator searched a participant's first or last name, the results would have included all plan participants with the same name, and displayed their Social Security numbers. The company was notified of the flaw July 18 by a plan administrator.

Details: The programming error existed in the database search function since 2009. There is no evidence to believe that information in the database was misused.

What was the response? Upon learning of the error, the company disabled the database search function. Once the issue was investigated, participants' Social Security numbers were truncated. The search feature has not yet been restored, as the company is still working on an appropriate solution. Affected individuals are being notified and offered free credit monitoring services.

Meanwhile, this is not the first data breach Lincoln has experienced in recent months. In July, the company said an email error exposed the names and Social Security numbers of 705 people.

Source: Letter to New Hampshire Attorney General Michael Delaney, August 15, 2011.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

POLL

More in The Data Breach Blog

Florida medical center hit with breach for third time in two years

Aventura Hospital and Medical Center has reported a data breach for the third time in two years.

Tampa General Hospital breach impacts hundreds of patients

Tampa General Hospital is notifying 675 patients that their personal information may have been accessed, without authorization, by a former employee.

George Mason University travel system targeted for malware attack

The incident could have exposed the names and Social Security numbers of users, although no evidence has surfaced to suggest that's the case.