Powered By InformationWeek Business Technology Network
 
Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Lincoln National Discloses Breach Of 1.2 Million Customers

Shared-password vulnerability may have exposed personal information in online account management system

Jan 14, 2010 | 05:13 PM

By Tim Wilson
DarkReading

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.

In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says.

The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system.

"This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."

FINRA declined to tell Lincoln whether the source of the username and password was a current employee or some other party, according to the letter.

Upon further investigation, Lincoln found another of its subsidiaries, Lincoln Financial Advisers, was using shared usernames and passwords to access the portfolio information management system, the letter states. In the end the company found a total of six shared usernames and passwords, which were created as early as 2002.

The passwords were "created and distributed by the system administration team to certain home office and support staff to perform administrative functions, respond to registered representative inquiries and review client account activity," the letter says.

The forensic team that investigated the breach found no evidence that the data had been used outside of the company, either by hackers or former employers, according to the letter. The portfolio management system consolidates data about customer accounts -- and therefore contains a good deal of personal information -- but it doesn't allow the user to actually access those accounts, the letter says.

Lincoln says it has "discontinued" all shared usernames and passwords in its systems, and it is notifiying customers, offering them identity theft services.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.


Subscribe to RSS



Vulnerability Management Reports

report Applications Security: Eliminating Vulnerabilities in Enterprise Software
Most of the hacks that compromise enterprise security today are those that exploit flaws in applications. How can organizations find and fix these vulnerabilities—before they lead to a breach? Better yet, how can software developers identify flaws in their applications before the new software is ever deployed? In this special retrospective of recent news coverage, Dark Reading offers a look at some tips and tricks for software development and vulnerability assessment, as well as some advice on how to eliminate security flaws in the enterprise.

report In a Fix? Try a Vulnerability Remediation Life Cycle
There are plenty of ways to detect vulnerabilities. But assigning priorities and determining the best way to fix them is another matter. Which vulnerabilities need to be dealt with immediately, and which can wait? What should you do when a simple patch won’t suffice? How do you ensure that the problems won’t recur? In this Dark Reading Tech Center report, we explain how to implement a vulnerability remediation process that improves security for the long haul.

report Scanning Reality: Limits of Automated Vulnerability Scanners
Network-based vulnerability scanners and Web application scanning tools can be invaluable in identifying exploitable flaws in network devices and Internet-facing software, but they may have weaknesses as well. In this Dark Reading Vulnerability Management Tech Center report, we discuss three critical areas in which scanners fall short -- and how to pick up your security program where they leave off.

Other reports from the Vulnerability Management Tech Center:

Related Content

Four Steps to Cure Your Patch Management Headache
The need to speed up patch deployment across today’s highly complex and distributed IT environment has never been more important. The heat is on to proactively safeguard your systems and endpoints from the newest exploits as the time it takes hackers to exploit a known vulnerability shrinks.

Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks
Government systems are getting hit on a daily basis by new and ingenious external attacks. Federal, state and municipal agencies must find a way to adjust to this evolving threat landscape to prevent these threats from wreaking havoc. Government organizations must get back to the basics of security and lay a strong security foundation to weather these attacks by proactively addressing their root causes.

Why Free Patch Management Tools Could Cost You More
Although point patching products may look more attractive on the surface, closer inspection often reveals hidden costs and missing capabilities. The result: fragmented patch management and weaker security posture while also being a more costly and cumbersome option to maintain.

Integrate Desktop Power Savings with Patch Management
Organizations can save significant money by managing the power consumption of their IT systems, but if they aren't careful, they could save their way right into a security and operational nightmare. Conscientiously consider your tools, strategies and policies around power management if you’re seeking to go green without compromising operational efficiency or security.