LendingTree Data Breach: Former Employees Were Sharing Passwords With Unapproved Lenders

LendingTree announced today that several former employees are suspected of sharing passwords with lenders that were not approved by LendingTree, and that this may have exposed customer data including: name, address, e-mail address, phone number, Social Security number, income and employment information.

The Charlotte Observer says that the lender has increased its security and filed a civil lawsuit in Orange County, CA. The lawsuit names “three California-based mortgage lenders, eight individuals and two other businesses as co-defendants.”

LendingTree did not say how many customers’ accounts were exposed, but the article did say that the company was notifying consumers who they believe were affected.

LendingTree tells clients of breach [Charlotte Observer] (Thanks, Sarah!)

UPDATE: Reader Chris forwarded the letter that LendingTree is sending out:

April 21, 2008

Dear LendingTree Customer:

We want you to know that some loan request forms our customers sent to LendingTree may have been seen by lenders without our consent. These lenders then used the forms to market their own mortgage loans to our customers. While we don’t believe that the forms were used for any other purpose, we want you to know what happened and what we did to correct this situation, as well as what you can do to monitor your credit records.

What Happened and What We Did

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree’s customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers. The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information. We believe these lenders accessed LendingTree’s loan request forms between October 2006 and early 2008.

What You Can Do

Again, we don’t believe any identity theft or fraudulent financial activity resulted from this situation. However, we suggest you get a free credit report. Look for any accounts you didn’t open and/or inquiries from creditors that you didn’t initiate. If you see anything you don’t understand, contact the credit bureau. If you see anything suspicious, you may want to file a fraud alert with the bureaus. For more information on how to do this, please refer to LendingTree’s Guide to Protecting Your Credit and Identity.

Where to Get More Information

We regret any inconvenience and apologize for any unwanted mortgage calls you may have received. For more information about this situation, and for more information on what you can do, please refer to the attached Questions & Answers .

Sincerely,

R.L. Harris

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.