Lincoln Financial Group says it took swift action to safeguard private consumer information and beef up its security policies, after it discovered vulnerabilities in a Web-based system that stored consumer account records for two of its business units.
Those weaknesses came to full light Thursday, after the Financial Industry Regulatory Authority imposed fines totaling $600,000 on Lincoln Financial Securities and Lincoln Financial Advisors Corp. because of the previous security lapses. Both are broker dealers under Lincoln Financial Group, based in Radnor, Pa.
The regulator said the companies had failed to adequately safeguard non-public customer information. It also said that Lincoln Financial Services did not require brokers working remotely to install security application software on their own personal computers to protect the firm’s securities business.
Lincoln Financial Securities took the heavier hit, with $450,000 in fines, leaving Lincoln Financial Advisors with a $150,000 punishment. FINRA said that LFS and LFA, for seven and two years, respectively, allowed current and former employees to access customer account records through any Internet browser. This access was through shared user names and passwords. Worse, according to FINRA, neither firm had policies dictating which employees had the login information. They were, therefore, not able to track which employees—or how many, for that matter—had gained access to the site during the seven-and two-year periods.
Also, the Web-based system that the firms used combined non-public customer account information from various sources and allowed employees to view the customer account information within a single site. They could access the system from two wide-open points: a link on the firm’s Web site and any Internet browser.
Lastly, FINRA found that Lincoln did not have a means to change the common access information. Indeed, many individuals had left the two firms during the applicable time periods, yet the login information remained the same.
Despite evidence of poor gate keeping, officials at Lincoln say they were unaware that consumer information was abused.
“Neither LFA nor LFS has any evidence or reason to believe that client information has been acquired or misused by any unauthorized person,” according to a statement from Ayele K. Ajavon, a company spokeswoman. The company did not offer specific examples of how it changed its security protocols.
Lincoln did, however, notify customers whose information was potentially at risk. It also offered up to one year of continuous credit monitoring and free identity theft consultation and restoration, if necessary.