LendingTree Mischaracterized Scope of February 2022 Data Breach, Class Action Claims
Lamie v. LendingTree, LLC
Filed: July 11, 2022 ◆§ 3:22-cv-00307
LendingTree faces a class action over a 2022 cyberattack in which the company allegedly “lost control” over the highly sensitive personal information of more than 200,000 consumers.
LendingTree faces a proposed class action over a February 2022 cyberattack in which the company “lost control” over the highly sensitive personal information of more than 200,000 consumers.
According to the 26-page suit, hackers were able to exploit a “code vulnerability” in LendingTree’s system, which allowed them to bypass the loan marketplace’s security and access the information it stores on consumers, including some who have never used LendingTree’s services. Per the case, LendingTree did not discover the hack until June 2022, four months after it occurred.
The complaint says that when LendingTree finally disclosed the incident in June, it failed to tell consumers that their information was on the dark web, or relay the entirety of the information the company lost in the cyberattack.
“In fact, LendingTree’s notice downplayed the breach, telling consumers that it lost control over only consumers’ Social Security numbers, dates of birth and home addresses,” the lawsuit states.
According to the filing, third-party researchers have confirmed that LendingTree has misrepresented the scope of the data breach, as hackers have posted online consumers’ phone numbers, IP addresses, loan form submissions, loan types, and credit scores “for anyone to download.”
In the four months between when the data breach occurred and when it was disclosed by LendingTree, the plaintiff, a Watertown, Massachusetts resident with no prior relationship with the defendant, suffered “repeated identity theft, including fraudulent account openings, unwanted address changes, and fraudulent charges,” the case says.
“Because LendingTree had not disclosed the Data Breach immediately after it happened, Plaintiff could not proactively protect himself from this identity theft, nor could he understand why it was happening,” the filing reads.
The lawsuit states that LendingTree has a “sordid history” with data security as the company was hacked at least twice before the February 2022 incident. In 2008, the case says, LendingTree employees, in an act of corporate espionage, stole consumer data from the company’s internal systems and transferred it to the defendant’s competitors. In January 2022, LendingTree disclosed another data security incident that reportedly affect an unknown number of consumers, the suit states.
“In each case,” the complaint says, “LendingTree was unable to prevent detect, or stop the breaches from happening before cybercriminals accessed and stole consumer [personally identifiable information], meaning it has been unwilling or unable to implement reasonable cybersecurity.”
The suit looks to represent all individuals in the United States whose personally identifiable information was compromised in the data breach disclosed by LendingTree in June 2022.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.