Monday, January 18, 2010

Lincoln National: Weak security, strong customer care

Lincoln National discovered last August that there were several shared usernames and passwords that had been created in 2002 for the purpose of making it easier for staff to perform administrative duties. I can't say from intimate knowledge of Lincoln Nationals employees, but I imagine the thinking went something like this:
It will save a lot of time if we don't have to log out every time we leave a computer so other people log in if they need to...If we just make a few logins and share the information it'll save tons of time."

Of course, this goes against PCI and Sarbanes Oxley compliance because it ruins accountability. If more than one person uses a login it becomes almost impossible to prove who did what with it. Most companies I know check for shared logins (also known as generic logins) on at least a quarterly basis and get audited annually, so I'm not sure how this little snafu went on so long.

The company says that there is no evidence of improper use of the shared logins, but since there is no way to prove that no data was compromised Lincoln National is notifying state agencies and customers voluntarily and offering customers free credit monitoring.

It's nice to see a company that steps up to the plate and does the right thing when they screw up. I have a feeling there may still be an investigation and maybe some fines, but it won't hurt Lincoln National's case that they looked after their customers when a problem was discovered.