A Letter You Never Want to Receive

Ex-LendingTree employees may have shared "confidential passwords" with mortgage lenders.

By SHARE

Turns out there are things you can get in the mail from your lender that are even less desirable than bills. Just ask LendingTree's mortgage customers from October 2006 through early 2008, who received the following surprise this week:

April 21, 2008

Dear LendingTree Customer:

We want you to know that some loan request forms our customers sent to LendingTree may have been seen by lenders without our consent. These lenders then used the forms to market their own mortgage loans to our customers. While we don't believe that the forms were used for any other purpose, we want you to know what happened and what we did to correct this situation, as well as what you can do to monitor your credit records.

What Happened and What We Did

Recently, LendingTree learned that several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders. When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation. We promptly made several system security changes. We also brought lawsuits against those involved.

Based on our investigation, we understand that these mortgage lenders used the passwords to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers. The loan request forms contained data such as name, address, email address, telephone number, Social Security number, income and employment information. We believe these lenders accessed LendingTree's loan request forms between October 2006 and early 2008.

What You Can Do

Again, we don't believe any identity theft or fraudulent financial activity resulted from this situation. However, we suggest you get a free credit report. Look for any accounts you didn't open and/or inquiries from creditors that you didn't initiate. If you see anything you don't understand, contact the credit bureau. If you see anything suspicious, you may want to file a fraud alert with the bureaus. For more information on how to do this, please refer to LendingTree's Guide to Protecting Your Credit and Identity.

Where to Get More Information

We regret any inconvenience and apologize for any unwanted mortgage calls you may have received. For more information about this situation, and for more information on what you can do, please refer to the attached Questions & Answers.

Sincerely,

R.L. Harris

That $1,500 mortgage bill doesn't seem so bad anymore, huh?

Here's what Brian Cleary, the vice president of marketing at Aveksa, an information security and access management provider, told me about the LendingTree problem:

"First of all, they have an access policy failure. These are former employees—how can those user accounts to critical customer data still be active? Those should be shut down. So, their access to all of the information and resources should be revoked on the day of their termination. I think, secondly, these things occur when you don't have good access review and certification processes in place.

"So, you can have policies, but if the policies live in a three-ring binder, and they are not put into practice as daily operating procedures—through some degree of automation—the chances of things like this occurring are pretty high."