LPL Financial reports theft of computers

LPL Financial (formerly known as Linsco/Private Ledger Corp) has had a number of data breaches in the past few years, most of which never get reported in the media. Two more have just come to light.

In one newly revealed incident, two desktop computers were stolen from the office of Sullivan and Schlieman Wealth Management, LLC, a financial advisor in Alpharetta, Georgia. The theft occurred on March 27, 2009. Personal information including names, addresses, financial account information, and Social Security numbers “may have been breached,” according to a June 1 letter sent to the New Hampshire Attorney General’s office by LPL. Although the theft occurred on March 27 and was reported to the local police, LPL was not notified of the incident until April 29. Affected individuals were notified in May.

In a second newly revealed incident, two computers and a server were stolen from the office of Sandru Financial Group in Perrysburg, Ohio on April 8. LPL learned of the incident on April 9 and notified those affected that month that their name, address, Social Security number and financial account information were on the stolen devices.

Neither report nor notification letters indicate whether the data on the stolen devices were encrypted.

As indicated below, there have been a number of breaches involving LPL Financial in the past few years:

JULY 2007:
On July 16 2007, LPL learned that hackers had obtained the login passwords of 14 financial advisors and four assistants in offices in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut. Over a period of several months, the hackers used the passwords to access customer accounts as part of a “pump and dump” scheme.

On October 12 2007, LPL notified the Maine Attorney General that unauthorized person(s) had obtained access to LPL’s trading and operation system (BranchNet) data by obtaining passwords of eight of their financial advisors. According to that report, the hack occurred on July 17 and LPL discovered it that day. There were attempts to place fraudulent trades across 40 different accounts. A report was also filed with NYS on October 15. By May 2008, however, LPL provided a revised report on the breach, which affected a total of 10,219 individuals, according to Keith Fine’s May 6 2008 letter to the New Hampshire Attorney General. Personal information that was potentially accessed included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries, but according to the letter, LPL could not determine whether the information was actually accessed. Notification was sent to those affected on 9/21/07; 9/26/07; 10/12/07; 12/11/07 12/17/07; 2/26/08; 3/7/08; 3/14/08; and 3/17/08. The incident was also reported to the Maryland Attorney General.

On September 12, 2007, a burglary of the home office of LPL in San Diego resulted in the theft of a laptop containing personal information of 1,397 residents of Massachusetts who were LPL representatives or office employees. LPL learned of the theft on September 13, 2007, according to a letter sent to the Maryland Attorney General’s office on May 6, 2008. The information on the laptop included unencrypted names, addresses, fingerprints, and Social Security numbers. Affected individuals were notified between November 30, 2007 and March 10, 2008. LPL indicated that it was first going to send Maryland residents the information required by Maryland’s law on May 9, 2008. The sample notifications attached are the same ones attached to the December 11th incident report, and do not seem to correspond to the incident.

On November 5 2007, a burglary at an LPL Financial office in Chandler Arizona resulted in the theft of a laptop containing unencrypted names, Social Security numbers, and account statement information on 56 individuals. Although LPL learned of the breach that day, those affected were not notified until February 19, 2008, and the New Hampshire Attorney General’s Office was not notified until May 6, 2008. LPL explained the delay in notifying individuals by saying that their investigation took time to determine whose data were on the laptop and what kinds of data were on it. The attachment showing the notification letter to affected individuals, however, does not describe the incident at hand, and seems to describe another breach that they had had.

On December 11, 2007 five computers were stolen from two financial advisors working in an LPL office in Diamond Bar, California. The computers contained unencrypted names, addresses, dates of birth, Social Security numbers, and account numbers of 444 LPL customers. The incident, which was first reported to the Maryland Attorney General’s office on May 6, indicated that those affected were notified on February 11, 2008. Based on outside counsel’s advice, LPL indicated that it would also be sending a supplemental notice to the one Maryland resident affected on May 9. The attached sample notification letter to those affected describes the incident as “an unauthorized person(s) obtained access to the system…” The supplemental letter to the Maryland resident also refers to the incident as one in which “personal information may have been accessed.”

APRIL 2008:
On April 4 2008, a break-in at the Lansing, Michigan office of William and Nathanael Flynn resulted in the theft of a laptop that contained unencrypted names, Social Security numbers, dates of birth, and account numbers of customers and non-customer beneficiaries. Those affected were notified in July 2008, according to LPL’s July 24 letter to the New Hampshire Attorney General. A separate letter by their outside counsel to the Maryland Attorney General, dated July 28, 2008 indicates that 1017 individuals were affected, three of whom were Maryland residents.

On April 10 2008, a laptop was stolen from an employee’s vehicle in East Stanley, North Carolina. The laptop contained unencrypted personal information on about 2800 employees of LPL Financial and its affiliates, including names, Social Security numbers,, employee ID and other employment and compensation information. Although LPL learned of the theft on April 10, its May 6 letter to the New Hampshire Attorney General’s Office indicated that those affected would first be notified by May 9 2008. The incident was also reported to the Maryland Attorney General’s office.

MAY 2008:
On May 5, 2008, hackers compromised the login password of a financial advisor. As in the 2007 incident, the password was used to gain access to customer accounts as part of a “pump and dump” scheme. In this incident, 185 customers and non-customer beneficiaries were affected. The potentially affected data included unencrypted names, addresses, Social Security numbers, and account numbers. Unlike the 2007 incident, however, which went on for months, in this instance, LPL detected the compromise the same day. The incident was reported to the Maryland Attorney General on June 10, 2008 after affected individuals were notified on June 6.

In September 2008, the Securities and Exchange Commission (SEC) settled charges with LPL over the two incidents were hackers accessed customer accounts. The SEC charged LPL with failure to adequately protect customer data:

Despite its being aware as early as 2006 that it had insufficient security controls to safeguard customer information at its branch offices, LPL failed to implement adequate controls, including some security measures, which left customer information at LPL’s branch offices vulnerable to unauthorized access. Between mid-July 2007 and February 2008, LPL experienced a series of computer system security breaches in which an unauthorized person(s) accessed and traded, or attempted to trade, in the customer accounts of several of LPL’s registered representatives.

On October 24 2008, LPL discovered a third-party system error had allowed four clients to view personal information of 19 individuals. The problem was corrected that same day. Those affected were first notified in January 2009, according to a letter sent by Keith Fine to the New Hampshire Attorney General’s office on February 2, 2009.

On November 25, 2008, an unauthorized individual “gained access to our operation and trading platform,” according to a letter sent to the Maryland Attorney General’s office on January 30, 2009 by LPL’s outside counsel. Those affected were notified on January 29, 2009. The attached notification sample indicates that those affected were clients of Aleda Kresge. A Google search indicates that she is a financial advisor in Frisco, Colorado.

About the author: Dissent

Comments are closed.