Former LendingTree employees sold access to customer information
Technorati Tag: Security Breach
Date Reported:
4/21/08
Organization:
IAC/InterActiveCorp (IAC)
Contractor/Consultant/Branch:
LendingTree, LLC
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"loan request data such as name, address, email address, telephone number, Social Security number, income and employment information"
Breach Description:
"Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders. These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers."
Reference URL:
LendingTree FAQs
MSNBC Red Tape Chronicles
NetworkWorld
Report Credit:
LendingTree
Response:
From the online sources cited above:
LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.
[Evan] From Rob Douglas, editor of InsideIDTheft.info "Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice"
Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders.
[Evan] Monitoring insider activity for fraud is a difficult challenge for information security personnel, especially when the credentials (username/password) used are valid.
These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers.
The files contained loan request data such as name, address, email address, telephone number, Social Security number, income and employment.
[Evan] Sheesh! This is everything that a bad guy (or gal) would need to do some serious damage.
A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.
Our internal security uncovered this situation. We began an internal investigation and reported it to the authorities. We continue to assist the authorities and are telling our customers as soon as it was possible to do so.
Credit card information (such as account number or account balance) was not involved.
[Evan] No need, with information such as name, address, email address, telephone number, Social Security number, income and employment, a fraudster could get his/her own credit card.
We promptly enhanced the security of our system so that this situation couldn't happen again. We also brought lawsuits against the lenders and other persons involved.
[Evan] What? How do you promptly fix human behavior? If there were such a simple fix for the problem that led to this incident then why wasn't it implemented prior to the incident? I don't buy it.
we have no reason to believe any identity theft or fraudulent financial activity resulted from this situation
You still might want to get a free credit report and file a fraud alert with the credit bureaus. When you get your credit report, look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau.
[Evan] What if an affected individual has already used their free annual credit report?
LendingTree believes that the information accessed was limited to mortgage customer loan requests only, which were then used by the mortgage lenders to solicit those customers for mortgage loans.
We brought a lawsuit against Newport Lending Group, Irvine, California; Home Loan Consultants, Inc., Newport Beach, California; and Sage Credit Company, Irvine, California, in connection with this incident.
[Evan] I wonder what the lawsuits seek.
LendingTree sent emails or letters to the mortgage customers that it believes, based on its investigation to date, might be at risk of having their information accessed and used by these mortgage companies to solicit mortgage loans.
You should also be vigilant for 12 to 24 months in reviewing bank and credit card statements and any future credit reports.
[Evan] As long as Social Security numbers are still used for authentication, people should remain vigilant, whether it be 12, 24, or 300 months.
You can call LendingTree at to speak with one of our customer service representatives who are available from 9am to 9pm ET seven days a week.
[Evan] Well thank you for permission Mr. LendingTree
Commentary:
I don't necessarily fault LendingTree too much for the incident occurrence. Preventing internal privileged access abuse is a real challenge. There are some controls that can reduce risk, but we don't know which of these are in use at LendingTree. I think it was just a matter of time. Actually, I would be surprised if this was the first time with past occurrences remaining internal and private.
What I do fault LendingTree for is a really poor public response. There are no apologies in the FAQs for the inconvenience. There is no offer of any real assistance. There is no readily available information on the company's web site (the FAQs are very hard to find without any direct link from the home page). The information (once found) given by LendingTree is much less than what would make me comfortable. Overall, their response gives off this general feeling of arrogance.
Personally, I am a LendingTree customer as I have applied for a previous car loan through them. Am I to take LendingTree at their word and believe that this breach only affected mortgage applications? What controls were in place to prevent employees from granting access to my data? I need more detailed information about the investigation and what LendingTree did to "promptly" enhance security before I conduct business with them again.
Past Breaches:
Unknown
Date Reported:4/21/08
Organization:
IAC/InterActiveCorp (IAC)
Contractor/Consultant/Branch:
LendingTree, LLC
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"loan request data such as name, address, email address, telephone number, Social Security number, income and employment information"
Breach Description:
"Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders. These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers."
Reference URL:
LendingTree FAQs
MSNBC Red Tape Chronicles
NetworkWorld
Report Credit:
LendingTree
Response:
From the online sources cited above:
LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.
[Evan] From Rob Douglas, editor of InsideIDTheft.info "Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice"
Recently, LendingTree learned that several former employees may have taken Company passwords and given them to a handful of lenders.
[Evan] Monitoring insider activity for fraud is a difficult challenge for information security personnel, especially when the credentials (username/password) used are valid.
These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers.
The files contained loan request data such as name, address, email address, telephone number, Social Security number, income and employment.
[Evan] Sheesh! This is everything that a bad guy (or gal) would need to do some serious damage.
A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.
Our internal security uncovered this situation. We began an internal investigation and reported it to the authorities. We continue to assist the authorities and are telling our customers as soon as it was possible to do so.
Credit card information (such as account number or account balance) was not involved.
[Evan] No need, with information such as name, address, email address, telephone number, Social Security number, income and employment, a fraudster could get his/her own credit card.
We promptly enhanced the security of our system so that this situation couldn't happen again. We also brought lawsuits against the lenders and other persons involved.
[Evan] What? How do you promptly fix human behavior? If there were such a simple fix for the problem that led to this incident then why wasn't it implemented prior to the incident? I don't buy it.
we have no reason to believe any identity theft or fraudulent financial activity resulted from this situation
You still might want to get a free credit report and file a fraud alert with the credit bureaus. When you get your credit report, look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau.
[Evan] What if an affected individual has already used their free annual credit report?
LendingTree believes that the information accessed was limited to mortgage customer loan requests only, which were then used by the mortgage lenders to solicit those customers for mortgage loans.
We brought a lawsuit against Newport Lending Group, Irvine, California; Home Loan Consultants, Inc., Newport Beach, California; and Sage Credit Company, Irvine, California, in connection with this incident.
[Evan] I wonder what the lawsuits seek.
LendingTree sent emails or letters to the mortgage customers that it believes, based on its investigation to date, might be at risk of having their information accessed and used by these mortgage companies to solicit mortgage loans.
You should also be vigilant for 12 to 24 months in reviewing bank and credit card statements and any future credit reports.
[Evan] As long as Social Security numbers are still used for authentication, people should remain vigilant, whether it be 12, 24, or 300 months.
You can call LendingTree at to speak with one of our customer service representatives who are available from 9am to 9pm ET seven days a week.
[Evan] Well thank you for permission Mr. LendingTree
Commentary:
I don't necessarily fault LendingTree too much for the incident occurrence. Preventing internal privileged access abuse is a real challenge. There are some controls that can reduce risk, but we don't know which of these are in use at LendingTree. I think it was just a matter of time. Actually, I would be surprised if this was the first time with past occurrences remaining internal and private.
What I do fault LendingTree for is a really poor public response. There are no apologies in the FAQs for the inconvenience. There is no offer of any real assistance. There is no readily available information on the company's web site (the FAQs are very hard to find without any direct link from the home page). The information (once found) given by LendingTree is much less than what would make me comfortable. Overall, their response gives off this general feeling of arrogance.
Personally, I am a LendingTree customer as I have applied for a previous car loan through them. Am I to take LendingTree at their word and believe that this breach only affected mortgage applications? What controls were in place to prevent employees from granting access to my data? I need more detailed information about the investigation and what LendingTree did to "promptly" enhance security before I conduct business with them again.
Past Breaches:
Unknown
Posted by Evan Francen at 4/23/2008 1:03 PM 
Categories: IAC/InterActiveCorp, LendingTree, Employee Fraud
Categories: IAC/InterActiveCorp, LendingTree, Employee Fraud
Posts Atom 1.0
Those events cannot be avoided. What is good is that Lending Tree gave notice to its client about the incident.
Reply to this