LPL Financial reports eighteen compromised logons
Technorati Tag: Security Breach
Date Reported:
5/6/08
Organization:
LPL Financial
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
10,219
Types of Data:
"names, addresses, phone numbers, account numbers, Social Security numbers, and dates of birth"
Breach Description:
LPL Financial recently notified the Maryland State Attorney General of a breach in which "hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL")." The "hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks."
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
Maryland State Attorney General
Response:
From the online source cited above:
We write to advise you of incidents in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL").
[Evan] How does a "hacker" compromise usernames and passwords of eighteen people working for the same company? Compromised logon server, spear phishing, malware?
To our knowledge, the hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks.
Attempted transactions were intercepted and either rejected or reversed.
No losses were passed on to customers
Hackers compromised the logon passwords of fourteen financial advisors and four assistants in branch offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months.
These incidents affected approximately 10,219 individuals
The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.
[Evan] I don't know the architecture of LPL's network or other infrastructure components, but I question why customers or financial advisors need access to Social Security numbers as part of a trading system. I know that LPL needs to store Social Security numbers for tax and other reporting purposes, but financial advisors, traders and customers don't need access to them.
At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach
We also are unaware of any personal instance of identity theft related to these incidents.
LPL learned of the first incident on July 16, 2007 and took the following actions: (1) notified law enforcement; (2) notified our primary regulator, the Financial Industry Regulatory Authority; (3) investigated the situation; (4) determined what information had been compromised; and (5) notified and offered solutions to the affected individuals.
LPL has taken several important steps to improve its level of data security and compliance
LPL has increased the profile of data security issues within the company at all levels, up to and including senior management.
In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
[Evan] This is the first breach notification that I have read that included this type of information. I don't know Mr. Loewenthal (which doesn't say too much), but I do know that he is stepping into a pressure situation.
Mr. Loewenthal has extensive experience in the area of data protection. As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I like when I read about information security personnel occupying "senior management" positions. Effective information security management needs to be as "senior" as possible in order to effect change in the organization. Information security governance is NOT an IT issue, but an organizational issue. There needs to be more good CISOs and CSOs.
In addition, LPL has developed a new, comprehensive information privacy and security program with new policies and procedures that were implemented in April 2008.
In August 2007, LPL engaged the services of Kroll Inc. ("Kroll"), a risk consulting company, to provide various services
In addition, LPL has commenced a project to enhance security on its advisor facing trading and operations systems in September 2007 and expects the project to complete in December 2008.
[Evan] Details are not available, but I would be interested in knowing more. Maybe removal of SSNs from the advisor facing trading systems and two-factor authentication are part of the mix.
Finally, LPL recently engaged the services of Edwards Angell Palmer & Dodge LLP to advise Mr. Loewenthal and LPL's in-house counsel as needed on information privacy and security issues.
LPL Financial is providing affected individuals with credit protection services from Kroll, Inc.
If you have any questions or feel you have an identity theft issue, please call ID TheftSmart at 1- between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.
If you want to talk to someone at LPL Financial to clarify or discuss the contents of this letter, please call us 1-, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.
We apologize for any inconvenience or concern this situation may cause.
We at LPL Financial believe it is important for you to be fully informed of any potential risk resulting from this incident.
We remain committed to maintaining customer privacy as a key priority and will continue to take the needed steps to protect your information.
Commentary:
What makes this breach so interesting to me is the fact that there were at least 18 points of attack. I don't get the feeling that this was some sophisticated high-tech "hack" of LLP Financial's systems. It is much easier to craft an email or call someone and convince them to give you their login information.
Good luck Mr. Loewenthal, I'm sure you'll do fine!
Past Breaches:
Unknown
Date Reported:5/6/08
Organization:
LPL Financial
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
10,219
Types of Data:
"names, addresses, phone numbers, account numbers, Social Security numbers, and dates of birth"
Breach Description:
LPL Financial recently notified the Maryland State Attorney General of a breach in which "hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL")." The "hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks."
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
Maryland State Attorney General
Response:
From the online source cited above:
We write to advise you of incidents in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial ("LPL").
[Evan] How does a "hacker" compromise usernames and passwords of eighteen people working for the same company? Compromised logon server, spear phishing, malware?
To our knowledge, the hackers used these passwords to gain access to customer accounts in order to "pump and dump" penny stocks.
Attempted transactions were intercepted and either rejected or reversed.
No losses were passed on to customers
Hackers compromised the logon passwords of fourteen financial advisors and four assistants in branch offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months.
These incidents affected approximately 10,219 individuals
The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.
[Evan] I don't know the architecture of LPL's network or other infrastructure components, but I question why customers or financial advisors need access to Social Security numbers as part of a trading system. I know that LPL needs to store Social Security numbers for tax and other reporting purposes, but financial advisors, traders and customers don't need access to them.
At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach
We also are unaware of any personal instance of identity theft related to these incidents.
LPL learned of the first incident on July 16, 2007 and took the following actions: (1) notified law enforcement; (2) notified our primary regulator, the Financial Industry Regulatory Authority; (3) investigated the situation; (4) determined what information had been compromised; and (5) notified and offered solutions to the affected individuals.
LPL has taken several important steps to improve its level of data security and compliance
LPL has increased the profile of data security issues within the company at all levels, up to and including senior management.
In March 2008, LPL hired Marc Loewenthal as SVP - Chief Security/Privacy Officer, a newly created position at LPL.
[Evan] This is the first breach notification that I have read that included this type of information. I don't know Mr. Loewenthal (which doesn't say too much), but I do know that he is stepping into a pressure situation.
Mr. Loewenthal has extensive experience in the area of data protection. As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I like when I read about information security personnel occupying "senior management" positions. Effective information security management needs to be as "senior" as possible in order to effect change in the organization. Information security governance is NOT an IT issue, but an organizational issue. There needs to be more good CISOs and CSOs.
In addition, LPL has developed a new, comprehensive information privacy and security program with new policies and procedures that were implemented in April 2008.
In August 2007, LPL engaged the services of Kroll Inc. ("Kroll"), a risk consulting company, to provide various services
In addition, LPL has commenced a project to enhance security on its advisor facing trading and operations systems in September 2007 and expects the project to complete in December 2008.
[Evan] Details are not available, but I would be interested in knowing more. Maybe removal of SSNs from the advisor facing trading systems and two-factor authentication are part of the mix.
Finally, LPL recently engaged the services of Edwards Angell Palmer & Dodge LLP to advise Mr. Loewenthal and LPL's in-house counsel as needed on information privacy and security issues.
LPL Financial is providing affected individuals with credit protection services from Kroll, Inc.
If you have any questions or feel you have an identity theft issue, please call ID TheftSmart at 1- between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.
If you want to talk to someone at LPL Financial to clarify or discuss the contents of this letter, please call us 1-, option 3 - Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.
We apologize for any inconvenience or concern this situation may cause.
We at LPL Financial believe it is important for you to be fully informed of any potential risk resulting from this incident.
We remain committed to maintaining customer privacy as a key priority and will continue to take the needed steps to protect your information.
Commentary:
What makes this breach so interesting to me is the fact that there were at least 18 points of attack. I don't get the feeling that this was some sophisticated high-tech "hack" of LLP Financial's systems. It is much easier to craft an email or call someone and convince them to give you their login information.
Good luck Mr. Loewenthal, I'm sure you'll do fine!
Past Breaches:
Unknown
Posts Atom 1.0
has anyone had serious problems with lpl
Reply to this
Frank: this breach was the first one reported -- they have had 5 breaches in the past year that they reported -- one involving a laptop stolen from an employee's home, one involving a laptop stolen from an employee's vehicle, one involving 5 computers stolen from an office, and a second logon compromise like this first one reported a few months ago.
Their new chief security officer has his work cut out for him.
Reply to this
LPL has bigger problems than the breach :)
Reply to this
Thanks to the SEC's enforcement order from a few weeks ago, we now know how the accounts at LPL Financial were compromised. LPL has a notably poor password policy for their BranchNet trading system. Essentially, there are no password complexity or minimum length requirements, and users cannot change their passwords. Even worse, 300 people on their IT staff have access to the users' BranchNet passwords (which would seem to indicate they're in a database with very open access, and not hashed). The SEC called LPL's actions (or, rather their inaction) "reckless disregard".
Evan's comments above are absolutely correct: this was not a sophisticated "hack".
I have more commentary and information about the SEC's findings on LPL Financial on my blog: http://www.curbrisk.com/security-blog/lpl-financial-branchnet-hacking-reckless-disregard.html
Reply to this