Adding to a growing list of companies suffering data breaches, LendingTree notified mortgage customers Monday that some of their personal information may have been inappropriately accessed.
In a letter, the Charlotte-based company said that outside loan companies may have accessed the information, including Social Security numbers, between October 2006 and early 2008 and used it to market their own mortgages to LendingTree customers.
LendingTree would not say Monday when it learned of the incident or how many people were potentially affected. It sent e-mails to alert customers it believes may be at risk of having their information accessed.
The company said it does not believe the disclosure led to identity theft or fraudulent financial activity, but recommended customers check their credit reports for suspicious activity.
In the letter, the online loan finder and lender said its internal security uncovered the incident, prompting an internal investigation and a report to authorities.
According to a Q&A sent to customers, "several former employees" may have shared confidential passwords with "a handful" of lenders that were not approved by the company.
The lenders then used those passwords to access customer information files that contained mortgage request data such as name, address, e-mail address, phone number, Social Security number, income and employment information. The files did not contain credit card information, LendingTree said.
The company has since enhanced its security system and also filed a civil fraud lawsuit Monday in Orange County, Calif., in connection with the incident, according to public records. The suit names three California-based mortgage lenders, eight individuals and two other businesses as co-defendants.
More than 160 data breaches were reported during the first quarter of 2008, more than double the amount the year before, according to the nonprofit Identity Theft Resource Center. Of those, 7 percent were in the banking, credit and financial industries. The overall increase could be due in part to more mandatory reporting laws, the center noted.
LendingTree, which was bought by New-York based IAC/InterActiveCorp. in 2003, is slated to be spun off and become an independent company again later this year.