LendingTree sues mortgage firms over security breach

LendingTree on Monday told customers that their sensitive information was leaked in a security breach and that it has sued three lending companies as a result.

(Credit: LendingTree)

Several former employees of LendingTree are believed to have taken company passwords and given them to a handful of lenders who then accessed LendingTree customer data files, the company said.

The data includes customer names, Social Security numbers, addresses, e-mail addresses, telephone numbers, and income and employment information, but not credit card information, LendingTree said in an e-mail to customers and on a frequently-asked-questions page on its Web site.

The outside lenders are believed to have accessed LendingTree customer loan request forms between October 2006 and early 2008. The lenders then tried to market loans to the customers, LendingTree says.

LendingTree's internal security uncovered the security breach and the company quickly reported it to authorities and made several security system changes. A LendingTree spokeswoman declined to say exactly when the breach occurred, when it was discovered, or how many customers were affected.

"We have no reason to believe any identity theft or fraudulent financial activity resulted from this situation," the FAQ says. "You still might want to get a free credit report and file a fraud alert with the credit bureaus. When you get your credit report, look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate."

The e-mail to customers also advises that they have the right to obtain a police report and may also request a security freeze on their credit report file.

As a result of the breach, LendingTree has sued three California lenders: Newport Lending Group and Sage Credit Company, both of Irvine, and Home Loan Consultants of Newport Beach. None of the firms immediately returned calls seeking comment.

LendingTree could also face lawsuits from its customers, as well as sanctions from the U.S. Federal Trade Commission, particularly given the potential for identity theft, according to Brian Cleary, vice president of marketing at Aveksa, an enterprise security governance software company.

"Organizations have an obligation to protect sensitive customer information like this," Cleary said. More than half of the data breaches these days are due to insiders leaking the information, he added.

[Eddie-c]

LendingTree = morons

1 - "internal security uncovered the security breach and made several security system changes." The article says accessed was believed to have been between Oct 2006 &#38; early 2008. Internal security took 12-18 months to find this?? They should all be fired.<br /><br />2 - "We have no reason to believe any identity theft or fraudulent financial activity resulted". The response they all give, however they're happy to file against 3 Ca. companies.<br /><br />3 - "LendingTree could also face lawsuits from its customers". Good job it is a private company, at least I could not find a stock symbol for them otherwise a nice shareholder suit potential.<br /><br />4 - ""Organizations have an obligation to protect sensitive customer information like this," Cleary says. More than half of the data breaches these days are due to insiders leaking the information, he added." And the failure of any company to follow simple procedures these days is unconscionable.<br /><br />If LendingTree did SOX then this an INSTANT fail, not to mention they obviously don't have standard practices in place for changing passwords or disabling accounts - or that they may have accounts that give access to greater than what is needed.<br /><br />This is SysAdmin/Network Security 101. I did LAN security for Motorola in the 90s and any company who can't do things properly needs a kick in the rubber parts.

[tech_crazy]

Are they out of their mind?

"We have no reason to believe any identity theft or fraudulent financial activity resulted from this situation,". <br /><br />How do they know this? Did they try to find out? And even if someone's identity was in fact stolen, how would the poor souls know that it was due to these morons?<br /><br />Not only do they not admit any guilt, they do not even show the courtesy of offering atleast free credit monitoring for a year.<br /><br />They deserve to be sued bad. Just a matter of time!

[MCOjerry]

Yes...

...they should offer free monitoring for a year. They will likely <br />either be forced to do this in the near future, or be shamed into <br />it before someone can make them do it.<br /><br />Also, the people that handed out the passwords SHOULD be <br />fired; immediately. Not only did they breach customer privacy, <br />but they breached ethical policy and opened their company to <br />possible law suits and financial loss. <br /><br />The whole lending tree thing is a sham anyway. You don't get a <br />deal, and all that happens is that you get lots of inquiries on <br />your credit report and your credit score drops.

[seniorexec]

Not security- Senior Executive Fraud

LT was not hacked. LT has a web access system and high paid LOs making an average of $7,500 per Interest Only ARM Loan for LTs internal lending division, LT Loans. To understand LT Loans and the level of senior management driven crime, Google for the lawsuit where LendingTree promises ?When banks compete you win?. This lawsuit stems from the reality that the consumer?s identity info went only to their own internal lender LT Loans. LT Loans then displayed wholesaler names as lenders to the consumer and closed loans internally with LT Loans.<br /> Yes the LendingTree Senior Team knew there was risk in letting LT Loans manage their own leads without matching to lenders on their network as the original business model was founded on. Each person on the senior team had a million dollar+ bonus based upon LT Loan Revenue- would you imagine the smiles around the table in senior team meetings when deciding it is ok to match only to LT Loans with million dollar+ plus internal bonuses?<br /> Note that the CEOs on both coasts and most of the VPs on that senior team have decided to pursue family interests after their bonus payouts in cash and stock incentives. The senior team laid off people who managed their systems, and then their senior team was negligent in managing consumer data. Loan Officers stopped making high commissions and sold consumer identities to multiple dishonest lenders. LendingTree Senior Executives did not deactivate passwords to the systems that hold the 70+ consumer data fields including your address, your cell phone number, and your social security number.<br /> Do you think while having weekly senior team meetings each and every senior executive with a bonus based upon margins at Lending Tree Loans choose not see the risk in sending consumer information to an internal entity without monitoring simple password deactivation? For more than 6 months, 10,000 new consumer records a day- the senior team continued to allow LT Loans to operate without shutting down passwords in their legacy systems.<br />Don?t believe it? <br />Here is the still public link to the LendingTree consumer data- Live today April 22, 2008. <br /><a class="jive-link-external" href="https://lenderweb.lendingtree.com/login.aspx?ReturnUrl=%2Fdefault.aspx" target="_newWindow">https://lenderweb.lendingtree.com/login.aspx?ReturnUrl=%2Fdefault.aspx</a> <br />All you need is one of their 485 lenders passwords- I am sure any script kitty with a password sniffer can help you get anything you want just like the felons were allowed to do internally by the Lending Senior Team. <br />If you want to file a report about LendingTree Here is the link to the FBI Mortgage Fraud Division. <a class="jive-link-external" href="http://www.fbi.gov/page2/march07/mortgage030907.htm" target="_newWindow">http://www.fbi.gov/page2/march07/mortgage030907.htm</a> <br /><a class="jive-link-external" href="https://tips.fbi.gov/" target="_newWindow">https://tips.fbi.gov/</a> Identity Theft Fraud for Profit and by Senior LendingTree Executives is a possible topic. The FBI has a field office in Charlotte about 30 minutes from LendingTree so take the 3 minutes to file an online form. Of course this is just my opinion?

[Golden Hinde]

...on informed consumers

Elinor-<br /><br />Thanks for writing this piece. I see two distinct problems: <br /><br />1) Larceny against LendingTree by rogue employees. You cover this nicely by writing about Lending Tree's reactions to the issue and even possible legal ramifications.<br /><br />2) Consumers were specifically not informed to whom their information would be sent. <br /><br />This second issue probably warrants a lot more press attention than I have seen. It's pervasive does NOT require anyone to opt in.<br /><br />More specifically, there are companies set up to do just this. Here are two examples:<br /><br />1) The credit bureaus will sell subscriptions to identity profiles meeting certain criteria [http://www.bankrate.com/brm/news/loan/20070502_trigger_lead_loan_a1.asp]. <br /><br />2)Services such as Leadpoint or Rootmarkets provide venues where folks buy and sell consumer profiles.<br /><br />In your piece, you mention the FTC and its potential interest in preventing identity fraud. Most likely, the FTC would do well to revisit its stance with respect to these services.