Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers. Lincoln National began notifying customers of the problem last week, according to a letter (pdf) posted to the New Hampshire Department of Justice's Web site. According to the letter, the company learned of the issue on Aug. 17, after a federal regulator was tipped off by an unnamed source. The Financial Industry Regulatory Authority was given a username and password combination that let anyone access Lincoln's portfolio information system.It goes to show you that basic computer access reporting, automated password policies and expirations, provision & de-provisioning and strong authentication cannot be taken for granted at any company – including at Lincoln National.
Now, imagine that shared password being used to access a federated application and the damage that might have done. You shouldn’t wonder why some companies are so concerned about their own internal security and trust of their identities let alone how a trusted identity could be used in a federated setting. As long as IT is seen as a “cost” or a “burden” these types of things are going to continue to happen.
I sure hope that some IT guy at Lincoln National said: “If only you would have bought – insert software name here – so we could have prevented this!”