Lincoln Investment Planning Breach Exposes 703 Clients After Adviser System Hack

Financial Adviser's Systems Compromised at Lincoln Investment Planning

Lincoln Investment Planning, LLC, a Fort Washington, Pennsylvania-based investment adviser, disclosed a data breach affecting 703 individuals after unauthorized access to a financial adviser's systems on July 25, 2025. The compromised data includes names, Social Security numbers, driver's license numbers, and financial account information -- the full suite of data needed for identity theft, account takeover, and fraudulent new account creation. Federal law enforcement has been notified, a detail that suggests the firm or its investigators believe the attack warrants criminal investigation.

Lincoln Investment detected the suspicious activity within three days, completed its data review within three weeks, and notified affected individuals within 49 days of the incident. That timeline is notably faster than peers in the investment advisory space. By comparison, Ashton Thomas Private Wealth took 126 days from incident to disclosure, and First Atlantic Capital took 134 days from intrusion to notification. Lincoln Investment's response time is closer to what regulators expect.

Timeline: 49 Days From Incident to Notification

The Lincoln Investment notification provides precise dates:

• July 25, 2025 -- Unauthorized access to a financial adviser's systems. This is the date data "may have been accessed or acquired without authorization."
• July 28, 2025 -- Lincoln Investment becomes aware of "suspicious activity impacting a financial advisor's systems." The firm immediately secures the systems and initiates an investigation.
• August 15, 2025 -- Data review identifies specific individuals whose information was in scope. This is 18 days after the incident was discovered -- fast relative to industry norms.
• September 12, 2025 -- Notification letters sent to approximately 703 affected individuals. Maine AG filing submitted.

Total time from incident to notification: 49 days. From detection to notification: 46 days. This is well within the notification windows required by most state breach laws and significantly below the 60-day federal standard for HIPAA-covered entities (though HIPAA does not apply here).

The speed of Lincoln Investment's response contrasts sharply with the multi-month timelines we've seen at other investment firms. The firm's notification letter states it "moved quickly to investigate and respond" -- and the timeline supports that claim.

What Data Was Exposed in the Lincoln Investment Breach

Four data types were compromised:

Social Security numbers. The core identifier for identity theft. With a valid SSN, attackers can open credit accounts, file fraudulent tax returns, apply for government benefits, and defeat knowledge-based authentication. SSN exposure is permanent -- the number cannot be changed.

Driver's license numbers. State-issued ID numbers enable in-person identity fraud, fraudulent driver's license applications, and can be used to satisfy identity verification requirements at financial institutions and government agencies. Unlike SSNs, driver's license numbers can be changed by contacting your state DMV, though the process varies by state.

Financial account information. The notification references "financial account information" without specifying whether this includes brokerage account numbers, bank account details, or both. For investment advisory clients, account information could include custodial account numbers at firms like Schwab, Pershing, or Fidelity -- the clearinghouses where client assets are actually held.

Names. The linking element tying the other data types to specific individuals.

The combination of SSN, driver's license, and financial account data is unusually complete. Most breach notifications involve one or two data categories. This breadth suggests the compromised system contained client onboarding documents or account opening files, which typically bundle all of these identifiers together.

How the Attack Happened: A Financial Adviser's Systems Breached

The notification language is specific and revealing: "suspicious activity impacting a financial advisor's systems." This is not a firm-wide network breach or an email compromise. A single financial adviser's workstation, local network, or cloud environment was the entry point.

Lincoln Investment operates as a platform for independent financial advisers. In this model, advisers are affiliated with the firm but operate semi-independently, often from their own offices with their own IT infrastructure. The firm provides compliance oversight, trade execution, and platform services, but the adviser's local systems may be managed independently.

This creates a security gap. The parent firm may maintain enterprise-grade security for its core infrastructure, but the affiliated adviser's office may run on consumer-grade equipment with minimal security controls. Client data flows between both environments -- the adviser needs access to client records to do their job, and those records contain exactly the data types exposed in this breach.

The involvement of federal law enforcement is notable. Most breach investigations are handled by private forensic firms without law enforcement engagement. The decision to involve the FBI or Secret Service (the two most common federal agencies for financial cybercrime) suggests either that the attackers have been identified and prosecution is possible, or that the attack method warrants law enforcement attention for intelligence purposes.

Who Is Affected

The breach impacts 703 individuals -- clients of the specific financial adviser whose systems were compromised. Lincoln Investment's Maine AG filing covers two Maine residents among the 703 total. The firm filed in multiple states based on where affected clients reside.

Lincoln Investment Planning manages approximately $34 billion in client assets through a network of affiliated advisers. The 703 affected individuals represent one adviser's client book, not the firm's full customer base. Clients of other Lincoln Investment advisers are not affected by this specific incident.

The firm is offering 24 months of IDX credit monitoring -- double the industry-standard 12 months. The extended monitoring period may reflect the severity of the data exposure (SSN plus driver's license plus financial accounts) or may be driven by regulatory expectations. Either way, 24 months of monitoring is a stronger response than many peer firms have offered.

Regulatory Implications for Independent Adviser Networks

Lincoln Investment's regulatory exposure differs from standalone RIAs because of its affiliated adviser model:

SEC examination. Lincoln Investment is SEC-registered and subject to OCIE examination. The breach will prompt examination focus on the firm's supervisory procedures for affiliated advisers' cybersecurity practices. Regulation S-P, Rule 30 requires policies to safeguard customer records. Examiners will assess whether the firm's cybersecurity policies extended to affiliated advisers and whether those policies were enforced.

FINRA oversight. Lincoln Investment Securities, Inc. (the firm's broker-dealer subsidiary) is a FINRA member. FINRA Rule 3110 requires supervisory systems that address cybersecurity risks at branch offices. If the compromised adviser operated from a branch location, FINRA will review whether the firm's supervisory procedures covered IT security at that branch.

State AG enforcement. The firm filed in Maine, Maryland, New York, North Carolina, Rhode Island, and Washington, D.C. Each state has independent enforcement authority. The filing specifically reserves Lincoln Investment's rights regarding "the applicability of Maine law" and "personal jurisdiction."

The affiliated adviser problem. The SEC has been increasingly focused on cybersecurity at firms that operate through distributed adviser networks. In this model, the parent firm sets compliance policies, but individual advisers operate with varying degrees of IT sophistication. A single adviser's compromised laptop can expose hundreds of client records containing SSNs and account numbers. The SEC's 2025 examination priorities explicitly identified "information security and operational resiliency" as a focus area for investment advisers.

The Investment Adviser Breach Pattern

According to FinSecLedger's breach tracker, investment firms have reported a cluster of breaches in recent months. Lincoln Investment (703 affected), Ashton Thomas Private Wealth (1,644 affected), First Atlantic Capital (1,582 affected), and Edelman Financial Engines (5,083 affected) all disclosed breaches between September 2025 and February 2026.

The common thread is not a shared attack vector -- the methods range from email compromise to network intrusion to individual adviser system hacks. The common thread is the target profile: firms that hold high-value client data, operate with IT budgets that don't scale to the sensitivity of the data they hold, and face a regulatory environment that is just beginning to enforce cybersecurity requirements with real consequences.

The Verizon 2024 Data Breach Investigations Report found that the financial sector ranks among the top three most-targeted industries, with credential theft and system intrusion as the dominant initial access methods. Small and mid-sized investment advisers are a particular vulnerability because they combine the data sensitivity of a bank with the security budget of a small business.

The FS-ISAC has published guidance on cybersecurity for smaller financial institutions, but adoption remains uneven. For firms operating through affiliated adviser networks like Lincoln Investment, the challenge is compounded by the need to enforce security standards across dozens or hundreds of semi-independent offices.

Action Items for Affected Individuals and Investment Firms

1. Lincoln Investment clients: Freeze credit at all three bureaus. The 24-month monitoring from IDX detects fraud after it happens. A credit freeze at Equifax, Experian, and TransUnion prevents new accounts from being opened. Free under federal law.

2. Consider replacing your driver's license. Contact your state DMV about obtaining a new driver's license number. Unlike SSNs, many states will issue a new DL number for identity theft victims. This neutralizes one of the exposed data types.

3. Review investment account activity. Contact Lincoln Investment and your account custodian (Schwab, Pershing, Fidelity, etc.) to verify no unauthorized transactions or changes have occurred. Request additional authentication requirements for account changes.

4. File an IRS Identity Protection PIN. With SSN and name exposure, tax fraud is a risk. The IRS offers an Identity Protection PIN (IP PIN) that prevents fraudulent tax returns from being filed using your SSN. Apply for one now, before tax season.

5. Investment firms with affiliated advisers: Audit branch office security. If your firm operates through distributed adviser offices, conduct security assessments of each location. Verify MFA is enabled, endpoint protection is current, client data is encrypted at rest, and local backup practices meet firm standards.

6. Establish minimum IT requirements for affiliated advisers. The era of letting advisers manage their own IT with no oversight is over. Firms should mandate specific security controls: MFA on all accounts, encrypted devices, managed endpoint detection, and regular security awareness training. Make these requirements contractual and auditable.