LendingTree denies it’s the supply of a knowledge breach affecting 200,000

LendingTree recently acknowledged it suffered two data breaches in the past year, but it said allegations that it was responsible for a larger breach and “downplayed” the events are false.

That’s according to a statement from a spokeswoman for the company in response to a class action lawsuit filed against LendingTree this week. On Monday, a Massachusetts man filed the lawsuit in a federal district court in North Carolina, where the company is based. On Thursday, the company responded.

LendingTree does acknowledge that it has been hit with two data breaches in recent months. It sent notifications to 643 consumers about a data breach in January, according to the attorney general of Indiana, one of the states that publicly discloses information about breaches affecting its residents. The attorney general of Massachusetts also disclosed the breach.

LendingTree also notified fewer than 70,000 of a breach on June 29, according to a company spokeswoman. The breaches occurred in November and February, respectively.

Christopher Lamie, the man suing LendingTree, said he was among the tens of thousands who received a letter from LendingTree in July that his information — including his Social Security number — had been compromised.

The attorneys general of Montana and California have released copies of that letter, which was sent to residents of both states. The attorney general of Texas said 4,424 Texans were affected.

After both breaches, LendingTree offered consumers identity theft protection services. Despite the offer, Lamie said in his lawsuit that he had suffered four instances of identity theft since February, which is when LendingTree told him the breach happened.

On June 18, days before LendingTree notified tens of thousands of consumers of its most recent breach, a website called Restore Privacy, which aims to raise awareness about online privacy and security, posted a blog about a LendingTree data breach. A threat actor had posted data on 200,643 loan applications to a dark web forum and claimed the information came from LendingTree, according to the group. 

LendingTree told Restore Privacy at the time that it had “previously conducted an investigation on this data set, and have determined that this data leak did not originate at LendingTree.”

In its blog post, Restore Privacy quoted part of LendingTree’s privacy policy that says submitting an inquiry constitutes directing the company “to share information about you or provided by you with lenders and other third parties,” suggesting a third party with which LendingTree shares data may have lost the 200,000 records in a breach.

The data posted on the dark web forum did not include Social Security numbers but did include names, street addresses, phone numbers, IP addresses and other data, according to Restore Privacy. In his lawsuit, Lamie cited the Restore Privacy blog to tie the dataset to the breach LendingTree notified him about. He accused the company of neglecting to tell him and others about the additional information leaked.

“LendingTree’s breach notice downplayed the breach, telling consumers that it lost control over only consumers’ Social Security numbers, dates of birth, and home addresses,” the lawsuit says. “But third-party researchers have confirmed that LendingTree is misrepresenting the breach’s scope, as hackers have posted consumers’ phone numbers, IP addresses, loan form submissions, loan types, and credit profile scores online for anyone to download.”

Lamie’s lawsuit also said he had “no prior relationship with LendingTree and he does not know how the company accessed or collected his data.” He had “never applied for a loan through LendingTree, nor given the company permission to use or access” his personal information, according to the filing.

LendingTree says the dataset discussed in the Restore Privacy article did not come from LendingTree.

“We were made aware of [the dataset] earlier this year, and at that time we investigated it, we compared it to our internal customer database,” the LendingTree spokeswoman said. “We could not identify any matching data entries, and therefore could not attribute that dataset to LendingTree.”

The spokeswoman also said the company suspects “the data was incorrectly attributed to LendingTree or intentionally labeled as such for malicious intent” and that it “maintains a comprehensive information security program and continually works to protect the data of our customers.”

Related Articles