While not aware of any ID theft or criminal activities related to the insider operation, LendingTree confirmed a letter that was sent to customers explaining the theft. The letter explained that former LendingTree employees gave access to a handful of mortgage lenders, allowing them unlimited access to LendingTree customer information.
LendingTree employees lend access to mortgage brokers. (Img:J.Anderson/LendingTree)
Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders… "When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with the investigation. We promptly made several system security changes. We also brought lawsuits against those involved,” the letter states.
Spokespeople for LendingTree confirmed that the reports of the letter were legit. However, they would not go into the scope of the access. There is no information as to how many customers were affected. What LendingTree did confirm is that loan applications from October 2006 to early 2008 were accessed. Information listed on the applications included Social Security numbers, names, addresses, birthdates, telephone, and employment information.
If the access came from mortgage lenders, then the best outcome would be that the customers targeted would only wind up getting tons of junk mail offering “quality loan rates” or other offers. The worst case would be ID fraud.
The latter situation is unlikely in this case, contrary to other news online. The reason would be that the lenders were fishing for contact materials and sources. Live hits in the lending market for people they can qualify now, and cold call to sell them. It is entirely possible the access was used to feed boiler-room operations.
LendingTree has not responded to any request for an interview on the subject. They only reiterate that they are working with law enforcement on the matter.
Insider threats are legit, and one of the layers of security that should be covered when securing a network. In the case of LendingTree, ex-employees were able to pass off network access to someone after they had left the company’s employment. This could have been prevented with separation policy, and with other factors of network security.
Depending on the level of access these insiders had, encryption of the data might have been a moot point; the real breakdown would be that the employee accounts were still active after they left the company.
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!