Internal Threat Example: Lending Tree Privacy Breach And Civil Suit

Last month (May 2008…yes, it is June already!) Lending Tree got slapped with a civil suit alleging their personnel allowed mortgage lenders access to customer’s personally identifiable information (PII) and other confidential information.
The suit charges that Lending Tree did not have appropriate or adequate information safeguards in place, resulting in the employees using names, addresses, phone numbers, Social Security numbers, income information, and assorted other personal information, to market their own mortgage loans to the LendingTree customers.
The class-action lawsuit, (this is from a subscription site) represents all Lending Tree customers who submitted loan request forms to the company between Jan. 1 2006 and May 1, 2008.
From the case file…

“1. This action seeks to redress the failure of Defendant Lending tree, LLC (“Lending Tree”) to adequately safeguard certain confidential customer information contained in Lending Tree’s customer loan request forms. As Lending tree has recently admitted, the loan request forms contain confidential data such as name, address, email address, telephone number, Social Security number, income and employment information of Lending Tree’s customers, including Plaintiff. Because of Lending Tree’s failure to maintain adequate computer data security, confidential customer data was accessed and stolen by several of Lending Tree’s employees.
2. As a result of Defendant’s actions, millions of its customers have had their personal confidential information compromised, have had their privacy rights violated, have been exposed to the risk of fraud, and have otherwise suffered damages.
3. This suit is brought, pursuant to the common law of this Staet, on behalf of a class of all persons who have submitted loan request forms to Lending Tree between January 1, 2006 and May 1, 2008, have been exposed to the risk of fraud as a result of Lending Tree’s breach, and who were damaged thereby (the “Class”). It seeks, inter alia, compensatory damages for Plainfitt and each class member, including, but not limited to, the time and funds spent, and which will continue to be spent, to monitor financial accounts and credit history for fraudulent acctivity; attorneys’ fees; and the costs of this suit.”

The security breach exposed millions of Lending Tree customers as a result of employees, who had authorized access to customer data, stealing customer information and giving it to a large number of mortgage lenders. This information included the customers’ user IDs and passwords.
The document indicates the breach “is still ongoing.”

“21. Rather than informing Plaintiff and its customers immediately of the breach so that they could mitigate the damage incurred as a result of the breach, Lending tree has not offered a reason for the almost five month delay in informing Plaintiff and its customers of the breach.”

Lending Tree is charged with several instances of negligence and breach of implied contract.
The trial WILL be going to jury.
It will be interesting to see how it turns out! It could set a significant precedent, paving the way for even more civil suits by customers of companies who do not provide effective safeguards for PII, and do not handle their privacy breach response in an effective, responsible way.
This situation also shows how customers depending upon single factor authentication (a password only in this case) can be easily defeated by trusted insiders.
It would be a good discussion about how two-factor authentication could have prevented this breach. Other actions which could have also contributed to preventing this breach could also have included having the customer data encrypted in storage; at least the customer passwords.
This case would make a great case study to determine how well your organization is prepared to handle a similar privacy breach caused by an authorized insider.