FINRA notifies Lincoln National of security vulnerability
A vulnerability in the portfolio information system for broker-dealer subsidiaries of Lincoln National Corporation potentially exposed the records of 1,200,000 people, 18,900 of whom are New Hampshire residents.
By letter dated January 4, attorneys for Lincoln Financial Securities Corporation and Lincoln Financial Advisors notified the New Hampshire Attorney General’s Office that although an outside forensic review found no reason to believe that client data were actually accessed or misused, information such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances, and in some cases, dates of birth and email addresses had been potentially exposed. The affected system is not used to transfer funds or effect trades.
Lincoln first became aware of the problem on August 17, when it was notified by FINRA, the Financial Industry Regulatory Agency, that someone had contacted them with a username/password combination that gave access to the portfolio information system. The user/pass had reportedly been shared among various employees of LFS and employees of affiliated companies, in violation of LNC’s policies. FINRA declined to inform LNC as to whether the provider of the user/pass was a current employee, but when FINRA investigated, they discovered that LFA was also using a shared user/pass.
LNC’s investigation subsequently determined that there were six shared user/password combinations, going back as early as 2002.