A financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers.
Lincoln National began notifying customers of the problem last week, according to a letter (pdf) posted to the New Hampshire Department of Justice's website.
According to the letter, the company learned of the issue on 17 August, after a federal regulator was tipped off by an unnamed source. The Financial Industry Regulatory Authority was given a username and password combination that let anyone access Lincoln's portfolio information system.
"This username and password had been shared among certain employees ... and employees of affiliated companies," Lincoln National's letter states. This is in violation of the company's security policy. The portfolio system is used by the company's subsidiaries, Lincoln Financial Securities and Lincoln Financial Advisors.
This system is not used in trades or balance transfers, but it contains names, Social Security numbers, account numbers and balances, dates of birth and email addresses, data that could be misused by identity thieves if the password should fall into the wrong hands.
After hiring a forensic investigator, Lincoln discovered that six shared usernames and passwords were created, starting back in 2002 to help staffers with administration and customer support duties. Lincoln has no evidence that the passwords ever fell into the wrong hands, but the company notes that there is "no evidence to support a conclusive determination that no such unauthorized access occurred."
Lincoln doesn't believe that the incident constitutes a data breach, at least so far as New Hampshire state law is concerned, but it said it's voluntarily notifying the state and customers as a precautionary measure.
Victims will be notified by mail and offered free credit monitoring.