Lincoln National Corp Reveals Potential Breach of 1.2 Million Accounts

Employees Violated Policy by Sharing User Names, Passwords Lincoln National Corp., a financial services company based in Radnor, PA disclosed a security vulnerability that may have leaked personal data of 1.2 million customers.

The company revealed the possible data breach in a letter to the attorney general of New Hampshire on January 4. In the letter, lawyers for the firm say the breach of the Lincoln portfolio information systems had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August.

While the letter did not disclose how the breach happened, it says the unidentified source sent FINRA a username and password that could access the portfolio system. This username and password had apparently been shared among employees of the company and vendors. "The sharing of usernames and passwords is not permitted under the LNC security policy," the letter states.

FINRA didn't tell Lincoln whether the source of the username and password was a current employee or some other party, the lawyers say in the letter.

Kroll, a forensic security company, was hired to do an investigation, which revealed Lincoln and another one of its subsidiaries, Lincoln Financial Advisers, were using shared usernames and passwords to access the portfolio information management system. Kroll found a total of six shared usernames and passwords, which were created as early as 2002.

The passwords were "created and distributed by the system administration team to certain home office and support staff to perform administrative functions, respond to registered representative inquiries and review client account activity," says the notification letter. Kroll's forensic team didn't find the data had been used outside of the company, either by hackers or former employers.

Lincoln says it has "discontinued" all shared usernames and passwords in its systems, and notified its customers and is offering identity theft services to the affected customers.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.