Online mortgage referral company LendingTree is facing a lawsuit after a security breach in which company employees allegedly allowed mortgage lenders access to customer's confidential information. Altogether, the lawsuit maintained that former company employees gained unauthorized access to sensitive information contained in its loan request forms by using old passwords.
Plaintiffs in the suit, which was filed in the U.S. District Court in Manhattan, N.Y., contend that Lending Tree failed to implement adequate security measures to keep customer's information secure. The employees then used that information, which included names, addresses, phone numbers, Social Security numbers, income and other personal data, to market their own mortgage loans to customers.
The class-action lawsuit represents all LendingTree customers who submitted loan request forms to the company between Jan. 1 2006 and May 1, 2008.
The Charlotte-based company first issued a letter on April 21st warning customers that former employees had helped "a handful of mortgage lenders gain access" to personal customer data by "sharing confidential passwords with the lenders."
The company said the passwords were then used to access LendingTree's customer loan request forms "normally available only to LendingTree-approved lenders," in a scheme to "market loans to those customers," said Lending Tree.
In a subsequent letter, dated May 8, the company warned affected customers that a "handful of mortgage lenders" had accessed loan information without customer consent. The letter went on to advise affected customers to place a security freeze on their own credit file, and included specific instructions which required victims to pay a $5 fee to their respective credit bureaus.
"It's really an access governance issue," said Brian Cleary, vice president of marketing for Aveksa, a security company specializing in enterprise access governance.
"A company like LendingTree has an obligation to put the right framework and controls in place. For them not to take ownership and require people who are at risk to pay is an absolute insult to injury."
Cleary said that consequently, LendingTree could go the way of TJX, Choicepoint , and other companies that have suffered punitive consequences for high-profile data breaches. If the Federal Trade Commission becomes involved, LendingTree could be subject to mandated third party audits and inspections every other year, Cleary said.
Experts say that the lawsuit is emblematic of numerous businesses that fail to adequately monitor or control their company framework or update policies regarding passwords.
To avoid a large-scale breach, experts say that companies will be increasingly required to adopt alternate security solutions to simple passwords, such as two-factor authentication, which incorporates passwords combined with a physical device such as a token, USB stick or key fob.
"Passwords are very low quality authenticators," said Avishai Woll, CTO of AlgoSec, a security risk management solution company. "Security conscious organizations that are concerned about these things, especially banks and financial institutions, lean more toward something like two factor authentication."
The issue is also indicative of the growing insider threat that companies face. A September 2007 PWC survey revealed that an overwhelming majority, 69 percent, of respondents cited employees and former employees as the most likely source of security attacks, surpassing hackers at 41 percent.
The study reported that e-mail and abused user accounts were the primary methods for security breaches, however only 52 percent of respondents said that they their company had implemented adequate security solutions to deal with the problem.
"I think this is a wakeup call to all organizations for taking control of their framework for access governance," said Cleary. "Who wants to be the next poster child for data protection? The legal and regulatory risk and increased operating expenses are just too large to ignore."