Lincoln National Corp Reveals Potential Breach of 1.2 Million AccountsEmployees Violated Policy by Sharing User Names, Passwords Lincoln National Corp., a financial services company based in Radnor, PA disclosed a security vulnerability that may have leaked personal data of 1.2 million customers.
The company revealed the possible data breach in a letter to the attorney general of New Hampshire on January 4. In the letter, lawyers for the firm say the breach of the Lincoln portfolio information systems had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August.
While the letter did not disclose how the breach happened, it says the unidentified source sent FINRA a username and password that could access the portfolio system. This username and password had apparently been shared among employees of the company and vendors. "The sharing of usernames and passwords is not permitted under the LNC security policy," the letter states.
FINRA didn't tell Lincoln whether the source of the username and password was a current employee or some other party, the lawyers say in the letter.
Kroll, a forensic security company, was hired to do an investigation, which revealed Lincoln and another one of its subsidiaries, Lincoln Financial Advisers, were using shared usernames and passwords to access the portfolio information management system. Kroll found a total of six shared usernames and passwords, which were created as early as 2002.
The passwords were "created and distributed by the system administration team to certain home office and support staff to perform administrative functions, respond to registered representative inquiries and review client account activity," says the notification letter. Kroll's forensic team didn't find the data had been used outside of the company, either by hackers or former employers.
Lincoln says it has "discontinued" all shared usernames and passwords in its systems, and notified its customers and is offering identity theft services to the affected customers.