LendingTree, LLC was forced to admit April 21, 2008 that former employees of the online mortgage broker had obtained customer passwords and shared them with non-LendingTree-approved mortgage lenders so those lenders could market their loans to those customers. Although the company sued the parties involved in the breach in a state court in California, multiple LendingTree customers have sued LendingTree in federal court for lax network security.
"We regret any inconvenience," stated "RL Harris" in an April 21 letter to customers, an apparent reference to Robert L. Harris, president of LendingTree. Harris disclosed that former employees shared customer passwords with non-approved lenders and that, with that access, the non-approved lenders could view the customers' applications for mortgages. He further stated that the unauthorized access began as far back as October 2006.
"The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information," he acknowledged. While such data can be a treasure trove for identity thieves, Harris sought to reassure customers: "We don't believe any identity theft or fraudulent financial activity resulted from this situation." LendingTree, through a spokeswoman, declined a request for comment for this story.
At the time the breach was reported, LendingTree, of Charlotte, N.C., was a unit of IAC/InterActiveCorp. It was spun off as its own publicly traded company, Tree.Com Inc., on Aug. 21.
Simultaneous to disclosure of the breach, LendingTree filed suit against five mortgage lenders in Southern California, which it accuses of fraud for using its customer records without permission. The companies are: Newport Lending Corp.; Southern California Marketing; Sage Credit Co.; Chapman Capital Inc.; and Home Loan Consultants.
At the same time LendingTree is the plaintiff in the California case, it is the defendant in a number of federal lawsuits filed by LendingTree customers outraged at their records being compromised.
In one such case, customer Marvin Garcia, of New York City, sued LendingTree in U.S. District Court in Manhattan July 29 accusing it of negligence, invasion of privacy and violation of the U.S. Fair Credit Reporting Act, which requires companies "to maintain reasonable procedures designed to limit the use of consumer reports [to] permissible purposes."
The suit, which has since been consolidated with other customer lawsuits in North Carolina, where LendingTree is based, also names the same non-approved lenders that LendingTree sued in California, stating: "The mortgage lenders used the passwords of LendingTree's customers to access the … customer loan request forms to market loans [to them]."
"Lending Tree knew or should have known that its network for processing and storing customer loan request forms…had security vulnerabilities," the lawsuit states.
In announcing the filing of the Garcia suit, his law firm, Meiselman Denlea, of White Plains, N.Y., criticized LendingTree for waiting so long before warning customers after it discovered the breach, and for only advising customers to get a credit check and monitor their credit reports going forward -- at their own expense.
LendingTree can be expected to take heat for this in the court of public opinion as well as in real courts, said Dana Wiklund, research director for global risk management at Financial Insights, a unit of the research firm IDC focused on the financial services industry.
"It opens up Lending Tree to reputation risk," Wiklund acknowledged. However, he added, this breach could have been a lot worse. So far, there's no evidence that the unauthorized access to customer records has resulted in any identity theft or fraud against those customers (although the customers' lawsuits argue they are still at risk). And while it's unclear exactly how many LendingTree customer records were exposed, he doesn't see this case being on the scale of other breaches.
"The fact that the data went to maybe other mortgage brokers and marketers is a big distinction from losing a tape with a million socials on it and finding out that some of these socials are popping up with international fraud rings," said Wiklund. He added that the mortgage brokers or lenders who gained the unauthorized access are likely one- or two-person shops whose only motivation was to try to drum up some business.
Nonetheless, he concluded, LendingTree is going to have to go back, see what went wrong and fix it.
That LendingTree employees could access customer passwords and share them with outside parties is puzzling to Jeremy Duffy, a self-described technology privacy awareness advocate and host of an online "Computer and Internet Safety for Normal People" seminar. Duffy finds it hard to believe that employees could access even their own customers' passwords.
What needs to be determined is if the passwords were encrypted or not. If they were encrypted, Duffy said, "There would be almost no way for someone to know the actual passwords even if they could directly access the database." If they were not encrypted, but stored in plain text, "that allows anyone with database access to see the customer's actual passwords and that is a huge security issue."
Duffy recommends a simple test. If a user clicks on the "Lost Password" button on a log-in page and the site sends them an email with their password, the passwords are likely stored in plain text. If it sends back a randomly generated password for the user to go in and reset their password, it's probably encrypted.
About the author:
Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.
This was first published in November 2008