Charlotte-based LendingTree sued after ‘stolen data’ shows up on dark web
Charlotte-based LendingTree is being sued in a class action lawsuit on claims it “lost control” of consumers’ personal information — with at least one person a victim of repeated identity theft.
The federal lawsuit, filed in Charlotte last month, claims the online loan marketplace compromised consumers’ information with inadequate data security protocols.
It also alleges the company downplayed a February security breach when disclosing it to consumers, after a list of mortgage applications labeled “LendingTree” appeared on the dark web.
Christopher Lamie, a Massachusetts resident named in the suit, had his identity stolen four times following the breach, the complaint states — despite having never used LendingTree’s services.
The company said the dark web database referenced in the suit can’t be traced back to LendingTree.
What the lawsuit alleges
The complaint alleges hackers in February were able to bypass LendingTree’s security and access information it stores on consumers.
A code vulnerability “likely resulted in the unauthorized disclosure of some sensitive personal information” beginning in February, a LendingTree spokeswoman confirmed in an email Monday.
In June, the company became aware of the vulnerability, the spokeswoman said. LendingTree “immediately resolved the issue” and notified fewer than 70,000 consumers.
The lawsuit stated Lamie received a notice regarding the data breach in July, and called the company to confirm he had been impacted.
Lamie doesn’t know how LendingTree accessed or collected his data, according to the court documents.
The company collects information on visitors to its websites from tracking technologies like cookies and third parties like credit bureaus, per LendingTree’s privacy policy declaimer on its website. That’s in addition to information provided directly by customers seeking services.
The lawsuit alleges following the breach, a database of consumers’ personally identifiable information — including phone numbers, IP addresses and credit profile scores — were posted on the “dark web” by hackers. The term describes a part of the internet not indexed by traditional search engines.
The LendingTree spokeswoman added that the company’s security team received multiple reports of this database, allegedly containing 200,000 loan applications — but it can’t be traced back to the company.
“This data did not originate at LendingTree and does not contain information from the company’s consumer database,” the spokeswoman said in a statement.
‘Fear and frustration’
After the February breach, the lawsuit claims Lamie suffered four instances of identity theft. That included fraudulent charges on his personal credit card, an attempt to change his USPS home address and three attempts to open an account in his name at three different financial institutions, according to the complaint.
When disclosing the breach in June, LendingTree offered free credit monitoring and identity protection to consumers, the spokeswoman said. The lawsuit does not say if Lamie took advantage of those services.
LendingTree’s inadequate security resulted in “anxiety, disruption, stress, fear and frustration” for Lamie, the complaint states. He has spent “considerable time and effort” monitoring his accounts, documents said, and fearing for his own personal financial security.
“This goes far beyond allegations of mere worry or inconvenience; it is exactly the sort of injury and harm to a data breach victim that the law contemplates and addresses,” the complaint reads.
The lawsuit calls for a trial by jury and is seeking compensatory damages and “injunctive relief” that would require LendingTree to make court-ordered fixes to its security protocols.
Not alone in security struggles
Similar to LendingTree, Novant Health also in recent months has experienced a major data breach.
The healthcare giant sent more than a million letters to patients in August saying that sensitive information may have been shared with Facebook parent company Meta.
Earlier this summer Novant, along with several other N.C. hospital systems, inadvertently sent patient information to Meta through use of a digital tracker tool.
Atrium Health, another Charlotte healthcare system, also was involved.
Tough times hit LendingTree
LendingTree has taken a hit to its business as higher interest rates have deterred consumers from seeking new loans.
Net income for the second quarter was down 182% from the prior year, according to the company’s latest earnings report.
In a letter to shareholders released alongside the report, CEO Doug Lebda said the company is facing “macroeconomic pressures” in the form of inflation and higher rates that “continue to generate headwinds across parts of our business.”
As of Tuesday afternoon, the fintech’s stock price has fallen 74.3% from the start of the year.
This story was originally published August 31, 2022 at 5:55 AM with the headline "Charlotte-based LendingTree sued after ‘stolen data’ shows up on dark web."
