LendingTree just lately acknowledged it suffered two knowledge breaches up to now yr, however it mentioned allegations that it was accountable for a bigger breach and “downplayed” the occasions are false.
That’s based on a press release from a spokeswoman for the corporate in response to a category motion lawsuit filed in opposition to LendingTree this week. On Monday, a Massachusetts man filed the lawsuit in a federal district courtroom in North Carolina, the place the corporate is predicated. On Thursday, the corporate responded.
LendingTree does acknowledge that it has been hit with two knowledge breaches in latest months. It despatched notifications to 643 shoppers a couple of knowledge breach in January, based on the legal professional normal of Indiana, one of many states that publicly discloses details about breaches affecting its residents. The legal professional normal of Massachusetts additionally disclosed the breach.
LendingTree additionally notified fewer than 70,000 of a breach on June 29, based on an organization spokeswoman. The breaches occurred in November and February, respectively.
Christopher Lamie, the person suing LendingTree, mentioned he was among the many tens of hundreds who obtained a letter from LendingTree in July that his info — together with his Social Safety quantity — had been compromised.
The attorneys normal of Montana and California have launched copies of that letter, which was despatched to residents of each states. The legal professional normal of Texas mentioned 4,424 Texans had been affected.
After each breaches, LendingTree supplied shoppers id theft safety companies. Regardless of the supply, Lamie mentioned in his lawsuit that he had suffered 4 cases of id theft since February, which is when LendingTree instructed him the breach occurred.
On June 18, days earlier than LendingTree notified tens of hundreds of shoppers of its most up-to-date breach, a web site known as Restore Privateness, which goals to boost consciousness about on-line privateness and safety, posted a weblog a couple of LendingTree knowledge breach. A risk actor had posted knowledge on 200,643 mortgage purposes to a darkish net discussion board and claimed the data got here from LendingTree, based on the group.
LendingTree instructed Restore Privateness on the time that it had “beforehand carried out an investigation on this knowledge set, and have decided that this knowledge leak didn’t originate at LendingTree.”
In its weblog submit, Restore Privateness quoted a part of LendingTree’s privateness coverage that claims submitting an inquiry constitutes directing the corporate “to share details about you or offered by you with lenders and different third events,” suggesting a 3rd social gathering with which LendingTree shares knowledge might have misplaced the 200,000 data in a breach.
The information posted on the darkish net discussion board didn’t embrace Social Safety numbers however did embrace names, avenue addresses, cellphone numbers, IP addresses and different knowledge, based on Restore Privateness. In his lawsuit, Lamie cited the Restore Privateness weblog to tie the dataset to the breach LendingTree notified him about. He accused the corporate of neglecting to inform him and others in regards to the extra info leaked.
“LendingTree’s breach discover downplayed the breach, telling shoppers that it misplaced management over solely shoppers’ Social Safety numbers, dates of delivery, and residential addresses,” the lawsuit says. “However third-party researchers have confirmed that LendingTree is misrepresenting the breach’s scope, as hackers have posted shoppers’ cellphone numbers, IP addresses, mortgage type submissions, mortgage sorts, and credit score profile scores on-line for anybody to obtain.”
Lamie’s lawsuit additionally mentioned he had “no prior relationship with LendingTree and he doesn’t understand how the corporate accessed or collected his knowledge.” He had “by no means utilized for a mortgage by LendingTree, nor given the corporate permission to make use of or entry” his private info, based on the submitting.
LendingTree says the dataset mentioned within the Restore Privateness article didn’t come from LendingTree.
“We had been made conscious of [the dataset] earlier this yr, and at the moment we investigated it, we in contrast it to our inner buyer database,” the LendingTree spokeswoman mentioned. “We couldn’t establish any matching knowledge entries, and due to this fact couldn’t attribute that dataset to LendingTree.”
The spokeswoman additionally mentioned the corporate suspects “the information was incorrectly attributed to LendingTree or deliberately labeled as such for malicious intent” and that it “maintains a complete info safety program and regularly works to guard the information of our clients.”