Mortgage Broker Sues Lenders in Privacy Breach

By Ellen Nakashima
Washington Post Staff Writer
Tuesday, April 29, 2008

LendingTree, an online mortgage broker that claims to have reached more than 20 million customers, had a privacy breach that exposed personal data such as income and job information on an undisclosed number of users.

The private company notified customers by letter last week that "several former employees may have helped a handful of mortgage lenders gain access to LendingTree's customer information by sharing confidential passwords with the lenders."

The company filed suit last week against five Southern California home loan lenders, alleging that they improperly gained access to customers' data, according to court records and a copy of the letter posted on LendingTree's Web site. The company also filed suit against two former executives in North Carolina, claiming that they shared the passwords with the lenders.

The company has contacted authorities and is assisting in the investigation. It has also made several security changes, the letter said.

"Based on our investigation, we understand that these mortgage lenders used the password to access LendingTree's customer loan request forms, normally available only to LendingTree-approved lenders, to market loans to those customers," the letter said. The loan request forms contained data such as name, address, e-mail address, telephone number and Social Security number. The loan forms were from October 2006 through early 2008, the letter said.

The company said it did not believe any identity theft or fraudulent financial activity resulted but suggested that customers who were notified obtain a free credit report.

Fairfax resident Randall Scott was among those notified. He was "stunned and very concerned about how far this can ricochet," he said. "I don't know if the bullet has stopped yet."

Scott said that despite having been a pleased customer for at least three years, he is skeptical of the company's claim that no identity theft or consumer fraud has taken place. "How can they make those assumptions?" he asked.

Scott has received about two dozen unsolicited mortgage company telephone calls recently, he said, though he is unsure whether they were related to the breach.

LendingTree's business model, which generates leads for lenders who pay for information about prospective borrowers, raises questions about privacy, said Ari Schwartz, deputy director of the Center for Democracy and Technology. "LendingTree says, 'We have people who can compete over you.' You fill out a form for free. They have companies that pay to see your information," he said. "When you make personal information that much of a commodity . . . there's a higher risk of mistakes on privacy and security."

Consumers are concerned about such risks. A survey of 2,900 adults released earlier this month by Zillow.com, which recently launched a service in competition with LendingTree, found that the top two concerns for more than half of respondents were having personal information sold or shared with multiple lenders and having personal information and credit scores shared with multiple lenders.

LendingTree spokeswoman Allison Vail declined to comment yesterday. North Carolina-based LendingTree is a subsidiary of IAC/Interactive, which is controlled by Barry Diller, a director of The Washington Post Co. LendingTree was acquired by IAC/Interactive in June 2003.

The company filed a civil suit in Orange County Superior Court on April 21 against Newport Lending Group, Southern California Marketing, Home Loan Consultants, Chapman Capital and Sage Credit, according to an online docket. It also filed a suit against former Lending Tree vice president Jarrod Beddingfield and former senior vice president David Anderson, according to the Los Angeles Times.

Scott said he just signed a contract for a new house and planned last night to compare rates through Lending Tree. He said he figured the company's security is better now. "If somebody stole art off the wall of a museum, they probably got tighter security the next time around," he said.

Staff researcher Richard Drezen contributed to this report.


© 2008 The Washington Post Company