LendingTree Mischaracterized Scope of February 2022 Data Breach, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

LendingTree faces a proposed class action over a February 2022 cyberattack in which the company “lost control” over the highly sensitive personal information of more than 200,000 consumers. 

According to the 26-page suit, hackers were able to exploit a “code vulnerability” in LendingTree’s system, which allowed them to bypass the loan marketplace’s security and access the information it stores on consumers, including some who have never used LendingTree’s services. Per the case, LendingTree did not discover the hack until June 2022, four months after it occurred. 

The complaint says that when LendingTree finally disclosed the incident in June, it failed to tell consumers that their information was on the dark web, or relay the entirety of the information the company lost in the cyberattack. 

“In fact, LendingTree’s notice downplayed the breach, telling consumers that it lost control over only consumers’ Social Security numbers, dates of birth and home addresses,” the lawsuit states. 

According to the filing, third-party researchers have confirmed that LendingTree has misrepresented the scope of the data breach, as hackers have posted online consumers’ phone numbers, IP addresses, loan form submissions, loan types, and credit scores “for anyone to download.” 

In the four months between when the data breach occurred and when it was disclosed by LendingTree, the plaintiff, a Watertown, Massachusetts resident with no prior relationship with the defendant, suffered “repeated identity theft, including fraudulent account openings, unwanted address changes, and fraudulent charges,” the case says.  

“Because LendingTree had not disclosed the Data Breach immediately after it happened, Plaintiff could not proactively protect himself from this identity theft, nor could he understand why it was happening,” the filing reads. 

The lawsuit states that LendingTree has a “sordid history” with data security as the company was hacked at least twice before the February 2022 incident. In 2008, the case says, LendingTree employees, in an act of corporate espionage, stole consumer data from the company’s internal systems and transferred it to the defendant’s competitors. In January 2022, LendingTree disclosed another data security incident that reportedly affect an unknown number of consumers, the suit states. 

“In each case,” the complaint says, “LendingTree was unable to prevent detect, or stop the breaches from happening before cybercriminals accessed and stole consumer [personally identifiable information], meaning it has been unwilling or unable to implement reasonable cybersecurity.” 

The suit looks to represent all individuals in the United States whose personally identifiable information was compromised in the data breach disclosed by LendingTree in June 2022. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.