Odd Lincoln National Breach Disclosure

January 15, 2010

Lincoln National Breach Disclosure Breach Of 1.2 Million Customers.

There are many legacy behaviors that result in sharing of user name/password pairs.  Some of the most difficult examples to deal with involve the use of “shared” administrative credentials.  The articles today about Lincoln National’s credential-sharing incident present a challenge to all of us in financial services businesses.  I have been involved in a number of merger/acquisition efforts and was never surprised to find the use of shared passwords throughout the technology and operations ranks.  It seems to be a legacy assumption expressed by software architects, engineers, and developers.  Too many of those responsible for database administration seem to assume that credential sharing is an integral part of what they do.  Lincoln says that they are going to carefully research operations across their organizations and eliminate the use of shared credentials.  If they can achieve this goal, much of the rest of this industry will be on the defensive.

Here is my outline of the of what I have seen released today:

  1. User credential sharing at Lincoln was initially reported to the Financial Services Regulatory Agency (FINRA) by an “unidentified source.”
  2. Lincoln’s response said that the credential was used only at two of their investments-related subsidiaries.
  3. The credential provided administrative access to a customer portfolio information system that consolidates detailed customer account data from “hundreds of disparate sources” including transaction-level activity from what appears to be all lines of their business.
  4. The portfolio information system contained records for 1.2 million customers.
  5. Shared user credentials are forbidden by Lincoln policies.
  6. Lincoln hired outside council.
  7. The outside council then hired a specialty forensic investigation organization to assess what happened.
  8. Lincoln subsequently found a total of 6 shared user name/password pairs associated with the portfolio information system in question.
  9. The user name/password pairs were “created and distributed by the system administration team to certain home office and support staff to perform administrative functions, respond to registered representative inquiries and review client account activity.”
  10. In a carefully-worded conclusion, Lincoln wrote that they are “unaware of any reported instance of identity theft or fraud related to this vulnerability” and that they have “determined that this incident does not constitute a breach of security as defined under New Hampshire law.”
  11. Nevertheless, Lincoln wrote to the New Hampshire Attorney General that “All shared usernames and passwords have been discontinued.”
  12. And that Lincoln has “heightened their enforcement of the existing (Lincoln) policy that prohibits shared usernames and passwords.”
  13. Lincoln also said that “Individuals whose personal information was exposed to this vulnerability will receive voluntary notification, and the offer of free credit monitoring.”
  14. The company also committed to conduct a “comprehensive review of their client information systems for similar vulnerabilities.”
  15. Lincoln will be notifying their customers in at least 13 states.
  16. This will necessarily result in non-trivial expense and (possibly) some amount of damage to Lincoln’s reputation.

I am curious about how this will play out with retail and institutional customers.  Will they press for more evidence of policy-compliant behaviors, will the institutional crowd include this in negotiations for a better deal, will anyone bolt?

This was an expensive exercise, and Lincoln is not finished investing in the “cleanup.”

To some extent Lincoln’s public behavior sets a precedent for other financial services corporations.  Lincoln’s behaviors when confronted with this incident, and their follow-on commitment to hunt down (and, they imply, eliminate) the use of shared credentials throughout their infrastructure and operations establishes a high bar.

Regardless of its applicability in U.S. courts, this is something that more than a few financial services organizations will need to deal with.

For those in the financial services business, shared user credentials are also prohibited by our security policies.  This is just one of the entry-level security requirements for all corporations in our business.  Those who are unable or unwilling to ensure that a risk-reasonable proportion of their workforce align their behaviors with that commitment are now on notice.

– References –

“Lincoln National Discloses Breach Of 1.2 Million Customers.”
http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034 and http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf


%d bloggers like this: