Lincoln National Life Insurance notifies over 26,000 of breach after user/pass distributed in brochure and on the web
Through its attorneys, Lincoln Life Insurance notified the New Hampshire Attorney General’s Office of a breach affecting over 26,000 clients of Lincoln National Life Insurance and Lincoln Life and Annuity Company of New York.
On February 26, the company was notified by a vendor that a username and password combination reserved for authorized brokers and agents had been printed in a brochure distributed by the company for “agent or broker use the only.” The login information enabled access to a secure web site maintained by a third party that obtains medical and other information from those individuals seeking life insurance. Information on the secure web site includes the applicants’ names, addresses, Social Security numbers, policy numbers, driver’s license numbers, credit, and/or medical information.
To compound the problem, the brochure had been posted publicly on an agent’s web site.
The company’s internal investigation as well as a forensic examination conducted by an outside consultant, Mandiant, did not find any conclusive evidence of unauthorized access to any client’s information, but could not rule out the possibility, either. The investigation also revealed that the login information had been published in the brochure since December 2008, and that the brochure also appeared on three other agents’ web sites.
According to the notification letter, the company was sending out letters to 26,840 individuals yesterday, offering them free services.
This was the third breach notification to the New Hampshire Attorney General’s Office this year involving a subsidiary of the Lincoln Financial Group and the second one involving Lincoln National Life Insurance and Lincoln Life & Annuity. In the first incident, FINRA notified Lincoln Financial Securities Corporation and Lincoln Financial Advisors that 1.2 million clients’ records were vulnerable to exposure because of use of a shared username/password. In the second incident, Lincoln learned that a series of technical errors going back to 2002 had resulted in client data being misfiled and available to other clients.