Lincoln National Corp. discloses security vulnerability

Article

Lincoln National Corp. discloses security vulnerability

SearchFinancialSecurity.com Staff

Lincoln National Corp. recently notified authorities of a security vulnerability in a portfolio information system that potentially exposed personal information of approximately 1.2 million customers.

In a letter to New Hampshire Attorney General Michael Delaney, Lincoln National said that a forensic review had found no evidence that the vulnerability -- created by the use of shared passwords and usernames -- led to customer's information being stolen or misused.

The portfolio system is used by the company's broker-dealer subsidiaries Lincoln Financial Securities Corp. (LFS) and Lincoln Financial Advisors Corp. (LFA) to report and analyze customer accounts, and contains names, Social Security numbers, account numbers and other sensitive information.

In August, LFS was notified by the Financial Industry Regulatory Authority (FINRA) that it received a username and password which provided access to the portfolio system by an unidentified source. The credentials had been shared by certain employees of LFS as well as affiliated companies, contrary to Lincoln's security policy. The company also discovered that LFA used shared usernames and passwords to access the portfolio system. An investigation revealed that LFA and LFS used a total of six shared usernames and passwords, which were created as far back as 2002.

The forensics investigation didn't turn up any evidence that any access

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

using the shared credentials was unauthorized, Lincoln said. LFS and LFA were notifying Delaney voluntarily "out of an abundance of caution and with full reservation of their rights in all respects," the company's legal representative wrote. Of the 1.2 million customers potentially affected, about 18,900 are New Hampshire residents.

LFS and LFA have discontinued use of shared usernames and passwords and increased enforcement of the policy banning use of shared credentials, the company said. Lincoln also is notifying affected customers and offering them free credit monitoring.


Back to top