Threats, Cybercrime

LendingTree sued over data breach

May 21, 2008
At least two lawsuits have been filed against LendingTree in response to a data breach that occurred between October 2006 and early 2008.

The breach reportedly was caused by former employees who shared passwords with mortgage lenders, providing access to loan and personal information of customers.

A lawsuit filed in U.S. District Court in New York last Friday alleges that LendingTree, a mortgage loan provider, failed to adequately protect customers and their confidential records, which included names, Social Security numbers and dates of birth. The suit stated, in part, that customers had their privacy rights violated and were exposed to risks of fraud.

A similar lawsuit was filed last week in Charlotte, N.C., where LendingTree is based.

Data breaches are the most common type of criminal activities committed by employees or former employees, said Avishai Wool, co-founder and chief technology officer of AlgoSec, provider of firewall operations and security risk management solutions.

“The problem of stealing information from within a company is as old as money,” Wool told SCMagazineUS.com on Wednesday. “With emerging technologies, the theft takes new shapes.”

For that reason, he added, it is vital for companies to closely monitor any employee who has access to confidential information.

Because the Lending Tree breach was caused by sharing passwords, Wool recommended that companies review their password policies.

“Companies should reset passwords frequently,” he said.

Also, when an employee leaves a company, the password to that account should be changed immediately, especially if the account is otherwise left open for any reason, Wool said.

Most importantly, companies should not rely solely on passwords to protect data, he said. Security-conscious companies also use additional measures, such as token with code numbers that change every few minutes.

LendingTree representatives did not respond to a request for comment.
prestitial ad