LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.
The incident reveals just how aggressive the mortgage loan business was during the height of the housing boom, and also raises fears for consumers who share their information with companies that help them shop around for the best deal. And it highlights what experts say is an often overlooked source of data theft -- the inside job.
According to a letter sent to customers recently, former LendingTree LLC employees shared "confidential passwords" with lenders, who in turn used the login information to "access LendingTree's customer loan request forms."
The forms contained critical personal data, including names, addresses, Social Security numbers, income and employment information. The company said the lenders did not use the information to commit identity theft or fraud, but simply to "market their own mortgage loans to ... customers."
In connection with the incident, LendingTree, based in Charlotte, N.C., has filed lawsuits against three small California-based home loan companies.
A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.
While LendingTree says in the letter it has no reason to suspect its consumers are at heightened risk for identity theft, it did suggest consumers obtain a free credit report and file a fraud alert with the nation's credit bureaus.
Upon learning of the security breach, LendingTree says, it "promptly enhanced the security of our system."
Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice, said identity theft expert Rob Douglas, editor of InsideIDTheft.info.
"This plays into everybody's fear that this happens all the time," Douglas said. "When consumers share their information with companies, they assume it ends up in other companies' hands."
One victim who received the LendingTree letter -- but who requested anonymity -- was annoyed that LendingTree offered no compensation for the trouble.
"Rather than offer a free credit report they suggest that I use my annual free credit report," the consumer said, referring to the once-per-year free peek that consumers get at their report by visiting AnnualCreditReport.com.
In its letter, LendingTree includes a pamphlet called "Guide to Protecting Your Credit and Identity." Consumers who obtain their credit report and see anything suspicious are told to "contact the credit bureau."
Consumers who visit LendingTree expect their personal information to be shared with other companies. They are hoping LendingTree will help them find a mortgage firm with the best rate, and expect several companies to "bid" for the right to supply their home loan.
But in this incident, loan applications were viewed by unauthorized lenders, who used the information to market their own loan products, LendingTree said.
"We suggest that you remain vigilant by reviewing account statements and monitoring your credit reports for the next 24 months," the letter says.