[ISN] LendingTree sues mortgage firms over security breach

From: InfoSec News (alerts@private)
Date: Tue Apr 22 2008 - 22:08:48 PDT


http://www.news.com/8301-10784_3-9926007-7.html

By Elinor Mills
News Blog
News.com
April 22, 2008

LendingTree on Monday told customers that their sensitive information 
was leaked in a security breach and that it has sued three lending 
companies as a result.

Several former employees of LendingTree are believed to have taken 
company passwords and given them to a handful of lenders who then 
accessed LendingTree customer data files, the company said.

The data includes customer names, Social Security numbers, addresses, 
e-mail addresses, telephone numbers, and income and employment 
information, but not credit card information, LendingTree said in an 
e-mail to customers and on a frequently-asked-questions page on its Web 
site.

The outside lenders are believed to have accessed LendingTree customer 
loan request forms between October 2006 and early 2008. The lenders then 
tried to market loans to the customers, LendingTree says.

LendingTree's internal security uncovered the security breach and the 
company quickly reported it to authorities and made several security 
system changes. A LendingTree spokeswoman declined to say exactly when 
the breach occurred, when it was discovered, or how many customers were 
affected.

"We have no reason to believe any identity theft or fraudulent financial 
activity resulted from this situation," the FAQ says. "You still might 
want to get a free credit report and file a fraud alert with the credit 
bureaus. When you get your credit report, look for any accounts you 
didn't open and/or inquiries from creditors that you didn't initiate."

The e-mail to customers also advises that they have the right to obtain 
a police report and may also request a security freeze on their credit 
report file.

As a result of the breach, LendingTree has sued three California 
lenders: Newport Lending Group and Sage Credit Company, both of Irvine, 
and Home Loan Consultants of Newport Beach. None of the firms 
immediately returned calls seeking comment.

LendingTree could also face lawsuits from its customers, as well as 
sanctions from the U.S. Federal Trade Commission, particularly given the 
potential for identity theft, according to Brian Cleary, vice president 
of marketing at Aveksa, an enterprise security governance software 
company.

"Organizations have an obligation to protect sensitive customer 
information like this," Cleary said. More than half of the data breaches 
these days are due to insiders leaking the information, he added.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 22 2008 - 22:20:40 PDT