Lending Tree Lets Data Slip

by Alex Stenback on April 22, 2008

If being hounded by lenders with questionable motives and expertise isn’t enough to steer you away from "Lending Tree" (whom we note has gone the high-profile sports sponsorship route previously tried by Ameriquest, but instead of baseball, with our beloved PGA Tour – excuse us while we puke) how about this:

several former employees" may have shared confidential passwords with "a handful" of lenders that were not approved by the company.

The lenders then used those passwords to access customer information files that contained mortgage request data such as name, address, e-mail address, phone number, Social Security number, income and employment information.

10-1 says these "lenders" or empoyees were selling access to that data.

UPDATE: Sam Glover (of our local Caveat Emptor, riding shotgun over at Consumerist for a couple of days) hoisted this post, along with some correspondence from Lending Tree attorneys who sought the removal of one of the comments.

The backstory:

The attorney, who called twice and emailed three times before noon, requested that we remove the comment by "Lance Moore" below, which contains some interesting and provacative allegations about Lending Tree’s business model, among other things.

He first emailed under the cover of "please remove the non-public URL, this guy is encouraging hackers." Then, when we redacted that url, the attorney followed up right away stating that the comment contained numerous "defamatory" comments and again requested that the comment be removed. 

The attorney walked the line pretty carefully, and did not make any explicit threats, but here’s the thing:  Any time we get an email from a corporate attorney tossing around jargon like "defamatory" and using interrogative sentences like: "Are you refusing to remove this?" we consider that a veiled, if unspoken, threat of legal action.

After all, if they really wanted the whole comment removed, why didn’t they just ask for that in the first place?  That was what struck us as odd, and might mean their motives were not confined to angst over a hackable public url leading to a lender login page.  Maybe related to this? from Sam at Consumerist:

a class-action lawsuit in 2006 alleged just that: banks were not really competing, just LendingTree employees. As far as I can tell, the lawsuit is ongoing.

Lending Tree Tells Clients of Breach [Charlotte Observer]
Full Copy of the Email Sent to Customers Below [via reader Alec Grebis.]

April 21, 2008

Dear LendingTree Customer:

We want you to know that some loan request forms our customers sent to LendingTree may have been seen by lenders without our consent. These lenders then used the forms to market their own mortgage loans to our customers. While we don’t believe that the forms were used for any other purpose, we want you to know what happened and what we did to correct this situation, as well as what you can do to monitor your credit records.

What Happened and What We Did

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree’s customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree’s customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers. The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information. We believe these lenders accessed LendingTree’s loan request forms between October 2006 and early 2008.

What You Can Do

Again, we don’t believe any identity theft or fraudulent financial activity resulted from this situation. However, we suggest you get a free credit report. Look for any accounts you didn’t open and/or inquiries from creditors that you didn’t initiate. If you see anything you don’t understand, contact the credit bureau. If you see anything suspicious, you may want to file a fraud alert with the bureaus. For more information on how to do this, please refer to LendingTree’s Guide to Protecting Your Credit and Identity.

Where to Get More Information

We regret any inconvenience and apologize for any unwanted mortgage calls you may have received. For more information about this situation, and for more information on what you can do, please refer to the attached Questions & Answers .

Sincerely,

R.L. Harris

{ 10 comments… read them below or add one }

Lance Moore April 22, 2008 at 10:26 pm

LT was not hacked. LT has a web access system and high paid LOs making an average of $7,500 per Interest Only ARM Loan for LTs internal lending division, LT Loans. To understand LT Loans and the level of senior management driven crime, Google for the lawsuit where LendingTree promises “When banks compete you win”. This lawsuit stems from the reality that the consumer’s identity info went only to their own internal lender LT Loans. LT Loans then displayed wholesaler names as lenders to the consumer and closed loans internally with LT Loans.
Yes the LendingTree Senior Team knew there was risk in letting LT Loans manage their own leads without matching to lenders on their network as the original business model was founded on. Each person on the senior team had a million dollar+ bonus based upon LT Loan Revenue- would you imagine the smiles arround the table in senior team meetings when it was decided weekly that it is ok to match only to LT Loans with million dollar+ bonuses?
Note that the CEOs on both coasts and most of the VPs on that senior team have decided to pursue family interests after their bonus payouts in cash and stock incentives. The senior team laid off people who managed their systems, and then their senior team was negligent in managing consumer data. Loan Officers stopped making high commissions and sold consumer identities to multiple dishonest lenders. LendingTree Senior Executives did not deactivate passwords to the systems that hold the 70+ consumer data fields including your address, your cell phone number, and your social security number.
Do you think while having weekly senior team meetings each and every senior executive with a bonus based upon margins at Lending Tree Loans choose not see the risk in sending consumer information to an internal entity without monitoring simple password deactivation? For more than 6 months, 10,000 new consumer records a day- the senior team continued to allow LT Loans to operate without shutting down passwords in their legacy systems.
Don’t believe it?
Here is the still public link to the LendingTree consumer data- [REDACTED AT THE REQUEST OF LENDING TREE LEGAL REPRESENTATION] link to the FBI Mortgage Fraud Division. http://www.fbi.gov/page2/march07/mortgage030907.htm
https://tips.fbi.gov/ Identity Theft Fraud for Profit and by Senior LendingTree Executives is a possible topic. The FBI has a field office in Charlotte about 30 minutes from LendingTree so take the 3 minutes to file an online form. Of course this is just my opinion…

Sam Bayard April 25, 2008 at 7:40 am

Alex,

I work for the Citizen Media Law Project at the Berkman Center for Internet & Society at Harvard Law School. I read on caveat emptor that someone from Lending Tree requested that you to take down a comment because it was allegedly defamatory. I don’t see the comment here, but maybe the caveat post is not clear on all the facts. You should keep in mind that section 230 of the Communications Decency Act (CDA 230) provides website operators with a defense to defamation claims based on user-generated content like comments. See our Primer on CDA 230 (http://www.citmedialaw.org/resources/primer-section-230-communications-decency-act) for details. In addition, we are creating a database of legal threats faced by citizen media creators and would like to create a database entry on the Lending Tree incident if you would be willing to provide details. Best of luck.

-Sam

Alex/Editor April 25, 2008 at 7:56 am

Sam, the comment you refer to, and the one that LT attorneys were so very interested in taking down, is the one just above your post.

Thanks for the tip.

geo May 20, 2008 at 7:57 pm

Contact Finkelstein Thompson for more info on a possible class action.

http://www.finkelsteinthompson.com/investigation/lendingtree_data.php

geo May 20, 2008 at 7:58 pm

Contact Finkelstein Thompson for more info on a possible class action.

http://www.finkelsteinthompson.com/investigation/lendingtree_data.php

John Franks June 20, 2008 at 10:32 am

An excellent and timely article: It’s amazing that breaches and thefts keep happening. Considering “what goes around, comes around”, I wonder how soon any one of us has personal experience with identity theft? It’s also interesting that reactive measures don’t concentrate on the obvious solution – a proactive treatment and training of people, and reinforcements to their corresponding security awareness. In those regards, there is a defined eCulture called “The Business-Technology Weave” that helps to influence employee behaviour as regards security, use and integrity of data – as well as protection of hard assets (such as laptops). This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: http://www.david-scott.net . We use his book at work – stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it. It’s making a huge difference.

John Franks June 20, 2008 at 10:32 am

An excellent and timely article: It’s amazing that breaches and thefts keep happening. Considering “what goes around, comes around”, I wonder how soon any one of us has personal experience with identity theft? It’s also interesting that reactive measures don’t concentrate on the obvious solution – a proactive treatment and training of people, and reinforcements to their corresponding security awareness. In those regards, there is a defined eCulture called “The Business-Technology Weave” that helps to influence employee behaviour as regards security, use and integrity of data – as well as protection of hard assets (such as laptops). This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: http://www.david-scott.net . We use his book at work – stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it. It’s making a huge difference.

John Franks June 20, 2008 at 10:32 am

An excellent and timely article: It’s amazing that breaches and thefts keep happening. Considering “what goes around, comes around”, I wonder how soon any one of us has personal experience with identity theft? It’s also interesting that reactive measures don’t concentrate on the obvious solution – a proactive treatment and training of people, and reinforcements to their corresponding security awareness. In those regards, there is a defined eCulture called “The Business-Technology Weave” that helps to influence employee behaviour as regards security, use and integrity of data – as well as protection of hard assets (such as laptops). This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: http://www.david-scott.net . We use his book at work – stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it. It’s making a huge difference.

John Franks June 20, 2008 at 10:32 am

An excellent and timely article: It’s amazing that breaches and thefts keep happening. Considering “what goes around, comes around”, I wonder how soon any one of us has personal experience with identity theft? It’s also interesting that reactive measures don’t concentrate on the obvious solution – a proactive treatment and training of people, and reinforcements to their corresponding security awareness. In those regards, there is a defined eCulture called “The Business-Technology Weave” that helps to influence employee behaviour as regards security, use and integrity of data – as well as protection of hard assets (such as laptops). This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: http://www.david-scott.net . We use his book at work – stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it. It’s making a huge difference.

Mike S. July 3, 2008 at 12:55 pm

Lender Police at http://www.lenderpolice.com seems to have taken care of the mortgage lender loan fraud problem for Borrowers, Closing Agents, Mortgage Lenders, and Real Estate Agents.

Always use Lender Police after you apply for a mortgage loan. They’ll tell you if your lender is giving you a good deal or not in one of two ways. You can purchase a good faith estimate review for $99 that will tell you if the interest rate, points, fees, and rebates you’re being charged is appropriate for your situation. The loan document review for $199 verifies that the loan documents that you’re signing are for the same loan that you were quoted and your lender didn’t slip in any extra points, fees, pre-payment penalties, or is receiving a lender rebate for selling you a higher interest rate than you qualify for.

A mortgage loan evaluation from Lender Police is the only way to guarantee you lender isn’t trying to rip you off.

Leave a Comment

 

Previous post:

Next post: