Lincoln National reports breach to New Hampshire Attorney General
|
Date Reported:
7/16/10
Organization:
Lincoln National Corporation
Contractor/Consultant/Branch:
Lincoln National Life Insurance Company (same Website address)
Lincoln Life & Annuity Company of New York (same Website address)
Lincoln Financial Group (same Website address)
"a third party vendor" (undisclosed)
Location:
Undisclosed/Web-based
Victims:
"a current or former policyholder of, or someone who submitted information in connection with a life insurance application to, The Lincoln National Life Insurance Company or Lincoln Life and Annuity Company of New York (together referred to as "Lincoln")"
Number Affected:
26,840
Types of Data:
"the individual's name, address, policy number, Social Security number, driver's license number, credit or medical information"
Breach Description:
Lincoln National Corporation (or subsidiary) has notified the New Hampshire Attorney General of a breach. A shared username and password to a "secure" website used by the company to process insurance application was found to be disclosed on printed brochures and posted on three other websites.
Reference URL:
New Hampshire Attorney General breach notification letter(s)
Report Credit:
The New Hampshire Attorney General
Response:
WARNING - What you read below are my opinions based on my interpretations of available information. My comments regarding this breach are critical of the parties involved. I encourage you to read the facts for yourself and not to let my comments distract you too much. My comments reflect some frustration at the language used in the notification letters and the seemingly (very) poor information security practices. In my opinion, Lincoln National Corporation is a very respectable company, and this probably adds to my frustration.
From the online source cited above:
"On behalf of our clients, The Lincoln National Life Insurance Company and Lincoln Life Annuity of New York, (collectively referred to as the "Company"), we hereby notify you of the discovery of an incident that potentially exposed certain personal information (identified below) to unauthorized access.
[Evan] The word "potentially" is wrong. The fact of the matter is that certain personal information WAS exposed to unauthorized access. When you publish a username and password on brochures and at least four public websites, you HAVE exposed information to unauthorized access. Read on, and you will probably agree.
The incident involved approximately 26,840 individuals
It is important to note that an investigation conducted by the Company's Information Technology and Security teams, as well as an outside forensic consultant, which was completed on June 11, 2010, revealed no evidence or reason to believe that customer information has been accessed or acquired by an unauthorized person, and the Company has taken several immediate and important steps to eliminate the potential of unauthorized access to personal information.
[Evan] Again, read on. This incident resulted from the disclosure of a shared username and password. If a shared username and password are used to access information, how do you tell who accessed the information? The credentials are shared!
The Company engages a third party vendor to obtain medical and other information authorized by a potential insured seeking to obtain life insurance.
The third party vendor maintains this information on a secure website that can be accessed by authorized Company employees and agents through a username and password for the purpose of underwriting insurance.
[Evan] The third-party did not maintain a "secure" website if the website was not secured!
The vendor's secure website for any such individual may include the individual's name, address, policy number, Social Security number, driver's license number, credit or medical information.
[Evan] Again, this is hardly a "secure" website if access to sensitive information is controlled by a shared username and password.
On February 26, 2010, the Company was notified by the vendor that it had discovered that a username and password, which was designated for use by authorized Company employees, was contained in a brochure printed and disrtibuted by the Company for "agent or broker use only."
[Evan] The username and password is already shared with multiple people, why not publish it on a brochure too!
Although this brochure was not intended for use by the public, the vendor discovered that it had been displayed on a Company agent's public website.
[Evan] …and post it online.
Upon discovery of the publication of the username and password, the Company disabled the published username and password and removed the log-on credentials from the "agent and broker use only" brochure.
[Evan] Whether the brochure was intended for "agent and broker use only" hardly seems like any kind of feasible control. If it is not a feasible control, then why mention it in the letter to the Attorney General twice?
A new brochure without the username and password was distributed to the Company's agents and brokers.
The Company also confirmed that the image of the brochure was removed from the agent's website.
Upon discovery of this issue, the Company took a number of actions to investigate the incident and to protect the personal information of the affected individuals.
The Company determined that the username and password were included in the brochure as of December 2008.
[Evan] Since December 2008?! It took until now for someone to question and respond to it?!
The investigation revealed that the brochure was also posted on the websites of three other agents of the Company.
[Evan] …and three more websites. First, a shared username and password is a well-known no-no, but despite that we have the shared credentials being printed and distributed on brochures since 2008 and posted on at least four publicly-accessible websites.
The Company has no reason to believe that the hard copies of the brochure were distributed to anyone other than Company agents, who are bound by confidentiality obligations.
[Evan] How many company agents? Current and former company agents would have had access, right? Were the brochures left lying around, or does the company prohibit this (clear desk policy)? There are so many questions and variables to consider before we could ever conclude that the brochures were handled properly/securely.
The Company's Information Technology and Security teams conducted an investigation into the incident and engaged the services of an outside forensic consultant, Mandiant, to determine which files may have been accessed and who accessed the files utilizing the username and password.
The forensic investigation could not determine whether any access using the shared usernames and passwords was unauthorized.
[Evan] Because it is a SHARED username and password! Wait. Does this say "usernames and passwords"? As in more than one? Maybe just a typo. I hope so.
There is, however, no evidence to support a conclusive determination that no such unauthorized access occurred.
To date, the Company has no evidence or reason to believe that personal information of the affected individuals was subjected to unauthorized access or acquisition.
The Company is unaware of any reported instance of identity theft or fraud related to this incident.
The Company has taken several important steps to protect personal information of its customers, applicants and others, and to prevent this type of incident from occurring in the future, including the following:
(1) The username and password were disabled, and the Company has heightened enforcement of the existing Company policy that prohibits the sharing of usernames and passwords;
[Evan] It's good to know that policy prohibits the sharing of usernames and passwords, but why wasn't this enforced? It's not like this violation (in this breach) would have been all that hard to detect.
(2) After a search of the Internet, the brochure was removed from the limited number of agent websites where it was posted;
(3) The brochure was immediately modified to remove the username and password; and
(4) Affected individuals will receive notification in the form enclosed as Exhibit A, by first class mail on or about July 20, 2010, and the offer of free credit monitoring.
The Company engaged Kroll to provide affected individuals toll-free access to its Customer Solutions Center, along with free credit monitoring services and identity theft consultation and restoration services.
[Evan] Kroll has a good reputation, so this is a good thing!
From the letter to victims: (just a couple of points to make here)
Safeguarding the privacy of information of our customers and applicants is a top priority at Lincoln.
[Evan] Hardly shows given the bone-head mistakes that led to this breach.
We are committed to protecting your information and recognize your need to know should it ever be compromised.
The purpose of this letter is to inform you that Lincoln recently discovered that a secure website used by Lincoln to evaluate applications for insurance, which may have contained information including your name, Social Security number and health information, was potentially vulnerable to unauthorized access.
[Evan] What's with "may have contained"? Either the website did provide access (contain) access to this information, or it didn't. If I were a person receiving this letter from Lincoln, I would be led to believe that this "may" be incident. The facts stated in the letter to the Attorney General support that the WAS an incident.
We have no reason to believe that your information has been accessed or acquired by an unauthorized person.
We are notifying you out of an abundance of caution to make you aware of the circumstances and to inform you of the steps that Lincoln has taken to rectify the situation.
[Evan] Oh no! Are you kidding me? There is no "abundance of caution" here! An abundance of caution would have been to protect the information better in the 1st place.
Because securing your information is so important to us, and as a precautionary measure to help safeguard you against any possible misuse of your information, we have also engaged Kroll Inc. to provide its ID TheftSmart service.
We take our obligation to protect client information seriously, and deeply regret any inconvenience or concern that this incident may cause.
Again, we have no evidence or reason to believe that your personal information has been accessed or acquired by any unauthorized person.
[Evan] The company states this numerous times throughout the notification letter. I can understand the need to not unnecessarily cause alarm, but provide facts to the victims to support this. The letter to the victims should be presented with enough facts for victims to judge risk for themselves. They are the owners of this information and they deserve it.
Commentary:
I have read and written about 686 breaches to date. I cannot recall a breach that miffed me more than this one. There are two words that I hate using, but come to mind when I read about this breach. Negligence and misleading. Unfortunately, I think you could make a case to support both. Here is my stance. If you make a mistake; admit it, apologize, and state what you will do to prevent similar circumstances. I respect organization's who use honesty to earn and keep my trust.
Lincoln did not adequately protect the sensitive customer information that was entrusted to them, yet through a careful manipulation of words it almost appears as though they are communicating this as a non-issue. The letter to the Attorney General is completely different than the sample letter sent to victims, and there must be a reason for this. I encourage you to read them both, and let us know what you think.
There are at least five areas where I found serious cause for concern in the way this should have been prevented and the way it was handled afterward. If I had more time, energy, and information, I could probably come up with more.
1) Shared credentials
Sharing credentials is a serious violation of information security. We use usernames to track who does what within the systems we are responsible for securing. We user passwords to validate that the username actually represents the person who is using the system. If we allow credentials to be shared amongst multiple people, we have no feasible way of determining who did what in the system.
2) Poor information security training
It appears as though the sharing of these credentials was going on since at least December, 2008. If in fact the company prohibits the sharing of credentials in policy, why wasn't this reported as a violation of policy? Didn't anyone stop to think that this might not be a good idea?
3) Poor vendor risk management
Poor vendor risk management is more of a problem and more widespread than most people realize. Vendors who maintain any type of access to sensitive information must be treated as an extension of the company's protection domain. The risks associated with every vendor relationship must be accounted for in the corporate information security program.
4) Poor auditing and/or compliance enforcement
Since December, 2008. Enough said.
5) Poor response
I do not like the response at all for more reasons than one. I have already given enough of my opinion, so I will let you judge for yourself. Read the two letters (one to the Attorney General, and one to the victims). I would love to know your thoughts.
Past Breaches:
Unknown
Posted by Evan Francen at 7/22/2010 3:28 PM 
Categories: Poor Business Practice, Lincoln National Corporation
Categories: Poor Business Practice, Lincoln National Corporation
Posts Atom 1.0
Comments