Lending Tree Data Breach Exposes Even Non-Customer PII Class Action

LendingTree, LLC offers a “marketplace” for loans, which means it keeps personally identifiable information (PII) in its systems. In fact, the complaint for this class action alleges that it maintains information for consumers who have never had a loan with the company. Nevertheless, the company has now suffered what the complaint claims is its third data breach, exposing consumer information and not even discovering the intrusion until four months afterwards.

The class for this action is all individuals living in the US whose PII was compromised in the data breach disclosed by LendingTree in June 2022.

LendingTree claims to be a “marketplace” for loans, such as mortgages, auto loans, small business loans, credit cards, and other lending products. LendingTree collects individuals’ PII.

The complaint quotes the company as saying that it collects information from three sources: from individuals themselves, from third parties such as “credit bureaus, lead generators and other partners who may have data on your financial profile, home or other demographic information[,]” and from “cookies and other tracking technologies” that may combine the information they collect with other information on the person.

The plaintiff in this case, Christopher Lamie, has never had a loan with LendingTree, and in fact has never even applied for one. Still, the complaint alleges, LendingTree appears to have been in possession of his information, which was stolen in the data breach along with the information of some 200,000 other individuals.

According to the complaint, in February 2022, cybercriminals took advantage of a “code vulnerability” in LendingTree’s system to gain access to its systems. The complaint alleges that the company “fail[ed] to discover this most recent breach until June 2022, or four months after the hack.” The complaint alleges that the information was posted on the dark web.

“LendingTree has a sordid history with data security[,]” the complaint alleges, claiming that this is LendingTree’s third data breach. The first, it says, occurred in 2008, when “LendingTree’s own employees stole consumer data from LendingTree’s internal systems in an act of corporate espionage, transferring it to LendingTree’s competitors.” The second data breach, the complaint alleges, occurred in January 2022. This one at issue in this case is thus the third.

“In each case,” the complaint alleges, “LendingTree was unable to prevent, detect, or stop the breaches from happening before cybercriminals accessed and stole consumer PII, meaning it has been unwilling or unable to implement reasonable cybersecurity.”

The complaint claims that LendingTree’s Breach Notice downplayed the event, saying that the company had exposed only consumers’ dates of birth, street addresses, and Social Security numbers. In reality, the complaint alleges, a third-party investigation has shown that to be false, with dark web postings including consumers’ “emails, full names, physical addresses, phone numbers, IP addresses, loan submission dates, lead source, loan type, home description credit score, property use, military status, and price.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy