LendingTree denies it’s the source of a data breach affecting 200,000

Lending Tree's new South End headquarters building in Charlotte,
On June 29, LendingTree sent letters to fewer than 70,000 consumers about a data breach. Days earlier, a threat actor posted a dataset containing records on more than 200,000 consumers, citing the company as the source. LendingTree said the leaked records do not match any of its own.
clsdesign - stock.adobe.com

LendingTree recently acknowledged it suffered two data breaches in the past year, but it denied allegations that it was responsible for a larger breach and had “downplayed” the events.

That’s according to a statement from a spokeswoman for the company in response to a class action lawsuit filed against LendingTree this week. On Monday, a Massachusetts man filed the lawsuit in a federal district court in North Carolina, where the company is based. On Thursday, the company responded.

LendingTree does acknowledge that it has been hit with two data breaches in recent months. It sent notifications to 643 consumers about a data breach in January, according to the attorney general of Indiana, one of the states that publicly discloses information about breaches affecting its residents. The attorney general of Massachusetts also disclosed the breach.

LendingTree also notified fewer than 70,000 of a breach on June 29, according to a company spokeswoman. The breaches occurred in November and February, respectively.

Christopher Lamie, the man suing LendingTree, said he was among the tens of thousands who received a letter from LendingTree in July that his information — including his Social Security number — had been compromised.

The attorneys general of Montana and California have released copies of that letter, which was sent to residents of both states. The attorney general of Texas said 4,424 Texans were affected.

After both breaches, LendingTree offered consumers identity theft protection services. Despite the offer, Lamie said in his lawsuit that he had suffered four instances of identity theft since February, which is when LendingTree told him the breach happened.

Banks report cyber events to their boards and regulators more than twice as often as they notify their customers and the general public, according to a recent survey. New reporting requirements could change the equation.

April 6

On June 18, days before LendingTree notified tens of thousands of consumers of its most recent breach, a website called Restore Privacy, which aims to raise awareness about online privacy and security, posted a blog about a LendingTree data breach. A threat actor had posted data on 200,643 loan applications to a dark web forum and claimed the information came from LendingTree, according to the group. 

LendingTree told Restore Privacy at the time that it had “previously conducted an investigation on this data set, and have determined that this data leak did not originate at LendingTree.”

In its blog post, Restore Privacy quoted part of LendingTree’s privacy policy that says submitting an inquiry constitutes directing the company “to share information about you or provided by you with lenders and other third parties,” suggesting a third party with which LendingTree shares data may have lost the 200,000 records in a breach.

The data posted on the dark web forum did not include Social Security numbers but did include names, street addresses, phone numbers, IP addresses and other data, according to Restore Privacy. In his lawsuit, Lamie cited the Restore Privacy blog to tie the dataset to the breach LendingTree notified him about. He accused the company of neglecting to tell him and others about the additional information leaked.

“LendingTree’s breach notice downplayed the breach, telling consumers that it lost control over only consumers’ Social Security numbers, dates of birth, and home addresses,” the lawsuit says. “But third-party researchers have confirmed that LendingTree is misrepresenting the breach’s scope, as hackers have posted consumers’ phone numbers, IP addresses, loan form submissions, loan types, and credit profile scores online for anyone to download.”

Lamie’s lawsuit also said he had “no prior relationship with LendingTree and he does not know how the company accessed or collected his data.” He had “never applied for a loan through LendingTree, nor given the company permission to use or access” his personal information, according to the filing.

LendingTree says the dataset discussed in the Restore Privacy article did not come from LendingTree.

“We were made aware of [the dataset] earlier this year, and at that time we investigated it, we compared it to our internal customer database,” the LendingTree spokeswoman said. “We could not identify any matching data entries, and therefore could not attribute that dataset to LendingTree.”

The spokeswoman also said the company suspects “the data was incorrectly attributed to LendingTree or intentionally labeled as such for malicious intent” and that it “maintains a comprehensive information security program and continually works to protect the data of our customers.”

For reprint and licensing requests for this article, click here.
Data breaches Cyber security Data security Technology
MORE FROM AMERICAN BANKER