Breach, Data Security, Incident Response, TDR

Financial services firm notifies 1.2 million of breach

Lincoln National Corp. (LNC), a Radnor, Pa.-based financial services organization, revealed early this month that a vulnerability in its portfolio information system could have caused the personal records of more than one million individuals to be inappropriately accessed.

How many victims? 1.2 million.

What type of personal information? Information contained on the affected system includes customer names, addresses, Social Security numbers, account numbers, account registration information, transaction details, account balances, and, in some cases, birth dates and email addresses.

What happened? The affected portfolio information system is used by LNC subsidiaries, Lincoln Financial Securities (LFS) Corp., based in Concord, N.H. and Lincoln Financial Advisors (LFA) Corp., based in Hartford, Conn. The system is used for analyzing and reporting customer financial accounts.

On Aug. 17, the Financial Industry Regulatory Authority (FINRA), an independent securities regulator, notified LFS that it received a username and password from an unidentified source that provided access to the portfolio information system.  

The username and password were shared by certain employees of LRS, a violation of LNC security policy. In addition, it was discovered that LFA employees also shared usernames and passwords to access the portfolio information system.

Details: An investigation revealed that between LFS and LFA, there were six shared passwords for the system, created as early as 2002.

There is no evidence that anyone outside of the company had access to the shared passwords, that former employees accessed the system after leaving the company or that any current employees used the credentials for anything other than work purposes. But there is no way to be sure that unauthorized access did not occur.

What was the response? Computer forensic organization Kroll Ontrack was brought on to conduct an investigation to determine the scope of the breach. All shared usernames and passwords have been discontinued. Affected individuals will be notified and offered free credit monitoring services.

Source: Statement to New Hampshire attorney general's office, written by Michael Delaney on behalf of Lincoln National Corp., Jan. 11, 2010.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.