Lincoln Financial Services and Lincoln Financial Advisors are now in the process of notifying more than 1.2 million customers that their personal data may have been compromised after someone got their hands on a username and password used to access the financial services providers’ portfolio management system.
LFS and LFA, a pair of broker-dealer subsidiaries of Lincoln National Corp. (NYSE: LNC), disclosed the security breach in a Jan. 4 letter to the New Hampshire attorney general’s office, revealing that an unidentified source in August sent the Financial Industry Regulatory Authority (FINRA) a username and password that would access the computer system and key information including a single view of all clients’ account assets.
More than 18,000 of the affected customers are New Hampshire residents.
The username and password, according to attorneys representing LFS and LFA, was one of six shared credential sets that had been created as far back as 2002, and were shared among certain home-office and support staff to perform administrative functions and review client account activity. The sharing of usernames and passwords violates the companies’ internal security policies, according to the letter.
The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system.
“This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies,” the letter said. “The sharing of usernames and passwords is not permitted under the LNC security policy.”
FINRA declined to tell Lincoln whether the source of the username and password was a current employee or some other party, according to the letter.
Lincoln National Corp. hired the consulting firm Kroll to conduct a forensic investigation of the breach, and the investigators found no evidence that the data had been used outside of the company and, thus far, there was no reason to believe any of the client data was altered or used for nefarious purposes.
For now, Lincoln National Corp. officials said the company has discontinued all shared usernames and passwords and is offering free credit-monitoring services to all affected customers.
While this latest security breach is one of the bigger ones in recent months, it’s certainly not an isolated event.
Last week, officials at Suffolk County National Bank in Long Island, N.Y. warned more than 8,000 customers that their account login information was likely compromised in November when a hacker illegally accessed a server hosting its online banking system.
California-based health insurer Health Net in November admitted that an external hard drive housing the medical records and Social Security numbers of 1.5 million patients went missing from its Northeast headquarters in Shelton, Conn., for at least six months before officials discovered the breach.
Also in November, MassMutual officials acknowledged that one of its employee databases was accessed by an unauthorized person or persons, exposing an unknown number of employees’ personal data for a yet-to-be-determined amount of time.
Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.