LendingTree Data Breach: Former Employees Were Sharing Passwords With Unapproved Lenders

LendingTree announced today that several former employees are suspected of sharing passwords with lenders that were not approved by LendingTree, and that this may have exposed customer data including: name, address, e-mail address, phone number, Social Security number, income and employment information.

The Charlotte Observer says that the lender has increased its security and filed a civil lawsuit in Orange County, CA. The lawsuit names “three California-based mortgage lenders, eight individuals and two other businesses as co-defendants.”

LendingTree did not say how many customers’ accounts were exposed, but the article did say that the company was notifying consumers who they believe were affected.

LendingTree tells clients of breach [Charlotte Observer] (Thanks, Sarah!)

UPDATE: Reader Chris forwarded the letter that LendingTree is sending out:

April 21, 2008

Dear LendingTree Customer:

We want you to know that some loan request forms our customers sent to LendingTree may have been seen by lenders without our consent. These lenders then used the forms to market their own mortgage loans to our customers. While we don’t believe that the forms were used for any other purpose, we want you to know what happened and what we did to correct this situation, as well as what you can do to monitor your credit records.

What Happened and What We Did

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree’s customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers. The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information. We believe these lenders accessed LendingTree’s loan request forms between October 2006 and early 2008.

What You Can Do

Again, we don’t believe any identity theft or fraudulent financial activity resulted from this situation. However, we suggest you get a free credit report. Look for any accounts you didn’t open and/or inquiries from creditors that you didn’t initiate. If you see anything you don’t understand, contact the credit bureau. If you see anything suspicious, you may want to file a fraud alert with the bureaus. For more information on how to do this, please refer to LendingTree’s Guide to Protecting Your Credit and Identity.

Where to Get More Information

We regret any inconvenience and apologize for any unwanted mortgage calls you may have received. For more information about this situation, and for more information on what you can do, please refer to the attached Questions & Answers .

Sincerely,

R.L. Harris

Comments

Edit Your Comment

  1. unklegwar says:

    This is one of those “why would anyone with any good sense use this in the first place?” items.

    I applied with them several years ago when buying my home. I had (and have) stellar credit.

    Every single offer was from some scummy bank, offering me “bargain rates” at 2 full percentage points higher (or more!) than what I could walk into my local bank and get.

  2. MissTic says:

    Hmm..now this article makes more sense –
    [consumerist.com]

    I wonder if they knew something before this came out?

  3. attheotherbeach says:

    “Awkward, isn’t it?”

  4. Wormfather says:

    @unklegwar: OK, I’m not following you. “Why would anyone with good sense use this in the first place”

    My fiancee and I “used” it to see what rates they were offering, that makes sense, now accepting is a whole other thing (if it’s the best you can get then so be it (for the record we went with the Bank of Opportunists))

    From my understanding, simply applying to LendingTree was enough to get you exposed.

    So play nice, please.

  5. mjsager says:

    @Wormfather: Personal responsibility Wormfather! Its clear you don’t have it! If you did, you would know that Lending Tree was going to do this. You could have used your personal responsibility to see into the future!!! Clearly you are what is wrong with America! People like yourself not taking responsibility!

  6. loueloui says:

    @unklegwar:

    I had about the same experience when buying my home. They offered me like 11% or something equally ridiculous and another sleazy no name lender at 7.85% variable which was about prime +4% at that point.

    We finally settled for 6% fixed with someone else. Thank you Pinnacle financial.

  7. jeffjohnvol says:

    I used lending tree once, and then got flooded with mortgage spam later. I don’t thinkg LT did it, but some of the companies that got my email address probably sold it.

  8. Geekybiker says:

    Lovely. Now I get to watch for identity theft.

  9. ucdcsteve says:

    I got four calls on my cell phone yesterday for someone named Mark from lending companies. Apparently, he had applied online (I’m guessing Lending Tree or something similar) and accidentally (?) put my phone number. I got in touch with two of the lenders and it seems above board, but I was still annoyed and slightly concerned about identity theft. Unfortunately, there’s no way of getting in touch with whoever else might have my number and telling them I’m not Mark.

  10. unklegwar says:

    @Wormfather: Point being that this has been around a long time, and is notoriously not good at pointing you to good rates or good lenders. So, why is it still alive?

  11. ideagirl says:

    @mjsager: Excellent post, thanks for making that post!!

  12. Mr. Gunn says:

    “When banks get breached, you lose!”

  13. NoNamesLeft says:

    hmmmm…

  14. aikoto says:

    BAD ADVICE ALERT! Don’t get a fraud alert, they don’t work. Get a credit freeze. Then you don’t have to worry about this kind of thing.

    Data here:
    [www.jeremyduffy.com]