Charlotte, N.C.-based LendingTree is warning customers that their personal data may have been compromised by its former employees who used their passwords to pilfer the data from the company's systems.
In an email to customers, LendingTree said the former employees helped some mortgage lenders gain access to its customer database by sharing their confidential passwords. The data was used by those lenders to market their own mortgage loans.
The lenders accessed LendingTree's loan request forms between October 2006 and early 2008. The breached data includes names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.
LendingTree said customer loan request forms are normally available only to LendingTree-approved lenders, to market loans to those customers.
In the email to customers, the company said it has no evidence that any identity theft or consumer fraud has resulted from the breach.
"When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation," LendingTree said. "We promptly made several system security changes. We also brought lawsuits against those involved."
Security experts and analysts said the breach is likely the result of a breakdown in policy and the company's user provisioning system. The system is used to grant access rights to systems and applications when employees change roles within an organization.
Companies should conduct an identity audit process every three to six months to discover passwords still available to terminated employees, said Andras Cser, a senior analyst, specializing in security and risk management at Cambridge, Mass.-based Forrester Research Inc. If LendingTree conducted the audit, the breach probably could have been prevented, Cser said.
"It's important to have a user provisioning system that will disable employee access when they leave the company," Cser said.
Companies in the financial services industry are furthest along deploying provisioning systems, but the trend is gaining ground in other industries, Cser said. Adoption is being driven primarily for compliance and the need to reduce IT cycle times.
"We're seeing transition from implementing Web access management systems towards user account provisioning," he said. "We predict the biggest gains will come from user account provisioning systems and their adoption."
Insiders are involved in about half of all data breach cases, but many firms are so focused on hardening the perimeter that insider threats are neglected, said Brian Cleary, vice president of marketing at access management vendor, Aveksa Inc.
"This is a case of really poor policy automation and a fundamental lack of good access governance which now has exposed LendingTree to a potential liability," Cleary said.
Many firms discover during an access review a number of orphaned accounts existing within the organization that provide access privileges but don't map back to a particular user, Cleary said. Access review in an organization typically falls on the CISO, but other parts of the company are involved, Cleary said. Business units are in a good position to certify an employee has the right privileges and the company's audit and compliance team understand the policies and set them to the right business rules to create a set of controls.
LendingTree advised customers to obtain and monitor their credit reports and referred them to a LendingTree credit protection page on its website. LendingTree also set up a breach faq outlining the situation to customers.