Breach, Threat Management, Data Security, Incident Response, TDR

LendingTree insider attack exposes personal data

Former employees may have helped a small number of mortgage lenders gain access to the personal information of LendingTree customers by sharing passwords, the company admitted in a letter to victims.

“Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers,” the LendingTree letter stated.

The loan request forms contained data, such as name, address, email address, telephone number, Social Security number, income and employment information, about LendingTree customers.

It is believed the information was accessed between October 2006 and early 2008. The breach was discovered through LendingTree's internal security, and as soon as it was discovered the incident was reported. 

LendingTree did not say how many individuals were affected.

It is not uncommon for former employees to still have access rights to confidential information, said Brian Cleary, vice president for marketing at Aveksa, maker of enterprise access governance solutions.

“There are a lot of orphaned accounts with multitudes of different information and resources that are uncovered during an audit,” Cleary told on Wednesday. “Companies need to work harder to clean this up. There should be an automated update system in place to eliminate these accounts.”

In addition, companies need to be more proactive to stay on top of any employee movement, whether it is termination or moving from one position to another.

It takes more than sending an email to IT to remove a person from an account, said Todd Chambers, chief marketing officer for Courion, an enterprise provisioning and compliance solutions firm. It also means following up to make sure the account is closed and running frequent checks on orphan accounts.

“Checking every three or six months isn't enough,” he said. “That gives someone a three- or six-month window to abuse the information.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.