Lincoln National, a financial services company based out of Concord, NH, has alerted the New Hampshire AG about a potential data breach involving passwords. It's type of thing that can easily subvert any type of data security scheme, including hard disk encryption.
According to the letter to the AG, subsidiaries to Lincoln National shared passwords for accessing their portfolio information system, possibly impacting 1.2 million clients. The system is not used for actual financial transactions (that's my interpretation), but SSNs, addresses, names, dates of birth, e-mail addresses, transaction details, account numbers, and balances are accessible from within the system's database. Six shared usernames and passwords were created, dating back to 2002, with the purpose of facilitating administrative and customer support duties. Outside forensic examiners found that there is no reason to believe that shared access has resulted in the misuse of client data. All of the above was instigated after someone tipped off FINRA, the Financial Industry Regulatory Authority. While nothing has come out of it, probably, the use of shared passwords poses a risk to data security.
According to the letter to the AG, subsidiaries to Lincoln National shared passwords for accessing their portfolio information system, possibly impacting 1.2 million clients. The system is not used for actual financial transactions (that's my interpretation), but SSNs, addresses, names, dates of birth, e-mail addresses, transaction details, account numbers, and balances are accessible from within the system's database.
Six shared usernames and passwords were created, dating back to 2002, with the purpose of facilitating administrative and customer support duties.
Outside forensic examiners found that there is no reason to believe that shared access has resulted in the misuse of client data.
All of the above was instigated after someone tipped off FINRA, the Financial Industry Regulatory Authority.
While nothing has come out of it, probably, the use of shared passwords poses a risk to data security.
An easy way to undermine data security is to share passwords. While nothing has come out of the above situation (well, nothing that was found), there are plenty of instances across the world where shared passwords have led to less than appealing situations. Consider Société Générale, the French financial services company that saw losses of over 7.2 billion dollars in 2008 due to fraud. Among several reasons, the sharing of passwords allowed the perpetration of the crime. Furthermore, every other week I read about how people illegally access databases to steal personal information. Keep in mind, these are people using their own usernames and passwords; chances are they'd go wild with someone else's username and password. Sharing passwords is convenient. Some would say it's "efficient," since things can be done in record time, as opposed to putting in a request to IT and waiting for something to happen. However, the truth is that it also allows data breaches to occur, conveniently and efficiently. No matter how big a hassle, care must be given not to reveal passwords.
An easy way to undermine data security is to share passwords. While nothing has come out of the above situation (well, nothing that was found), there are plenty of instances across the world where shared passwords have led to less than appealing situations.
Consider Société Générale, the French financial services company that saw losses of over 7.2 billion dollars in 2008 due to fraud. Among several reasons, the sharing of passwords allowed the perpetration of the crime.
Furthermore, every other week I read about how people illegally access databases to steal personal information. Keep in mind, these are people using their own usernames and passwords; chances are they'd go wild with someone else's username and password.
Sharing passwords is convenient. Some would say it's "efficient," since things can be done in record time, as opposed to putting in a request to IT and waiting for something to happen. However, the truth is that it also allows data breaches to occur, conveniently and efficiently.
No matter how big a hassle, care must be given not to reveal passwords.
Related Articles and Sites:http://www.computerworld.com/s/article/9145240/Financial_firm_notifies_1.2M_after_password_mistakehttp://www.fiercecio.com/story/financial-firm-warns-1-2-million-files-exposed/2010-01-17http://doj.nh.gov/consumer/pdf/lincoln_financial.pdf