LendingTree denies connection to data breach affecting 200,000, but confirms a different one

The financial services giant LendingTree has denied any connection to a reported data breach involving 200,000 loan applications found on the dark web, although the company did confirm that the information of tens of thousands of customers was exposed in a separate breach in February.

Reports emerged in recent weeks of cybercriminals selling sensitive information purporting to be from applications originating from LendingTree, which connects customers to lenders. 

The company began sending out breach notification letters on June 29, leading many to believe that the 200,000 loan applications on on the dark web were legitimate.

LendingTree formally discloses data breach: https://t.co/k0q6MzZxWY

Disclosure comes after a threat actor dumped data on 200k users online last month: https://t.co/RdfEWgy5Ku pic.twitter.com/Kw4nsT6yHJ

— Catalin Cimpanu (@campuscodi) July 14, 2022

But LendingTree director of communications Megan Greuling told The Record that the notifications the company sent out were in response to a “code vulnerability” in LendingTree’s platform that exposed the sensitive information of more than 70,000 customers in February. 

This information included names, Social Security numbers, addresses and dates of birth. Greuling added that the company also notified about 700 customers in January of a data breach that took place last November, which also occurred because of a “vulnerability in one of its online interfaces for personal loans,” which she said "no longer exists."

“We are working to implement additional security measures to protect consumers who visit our online interfaces,” Greuling said. 

She noted that in both cases, LendingTree offered free credit monitoring and identity theft protection to consumers for about two years.

According to Greuling, LendingTree’s security team looked into reports of the 200,000 leaked loan applications. 

“Our investigation determined that this data leak did not originate at LendingTree. In fact, we obtained the full data set and found there to be no match when compared to our consumer database,” Greuling said.  

“The threat actor who was selling the data set on the dark web must have mislabeled the data source accidentally or intentionally mislabeled the data set source for malicious intent, perhaps in an attempt to increase black market value.”

The 200,000 loan applications for sale were first discovered by researchers with RestorePrivacy and were from October and November of last year. The information included addresses, phone numbers, IP addresses, loan form submissions, loan type, credit score and more. 

RestorePrivacy noted that LendingTree shares user data with several affiliates, partners, service providers and more. 

In 2008, the company disclosed another data breach that involved several former employees handing over access to confidential customer records to different mortgage lenders. 

The lenders were given access to customer data that ranged from social security numbers to income and employment data. The companies then used that information to market the mortgages they were selling. 

LendingTree admitted that the lenders had access to the information from October 2006 to some time in 2008. According to Reuters, LendingTree never disclosed when it discovered the breach, only telling the news outlet that it contacted law enforcement about the issue.