Lending Tree Data Breach, Sensitive Information Potentially Disclosed in Hack

On June 29, 2022, Lending Tree, LLC, an online lending marketplace based in based in Charlotte, North Carolina, reported a data breach to the Montana Attorney General’s Office.

According to the company’s Data Breach Notice, between mid-February, 2022 and sometime in June, 2022, “a code vulnerability likely resulted in the unauthorized disclosure of some sensitive personal information.”

Lending Tree discovered the “vulnerability” on June 3, 2022. It appears to have begun informing affected individuals on June 29, 2022.

In its Data Breach Notice Lending Tree states that “the vulnerability in the code no longer exists.”

The sensitive personal information that may have been accessed or acquired includes individuals’ full names, dates of birth, street address, and Social Security numbers (SSNs).

Lending Tree’s Notice provides no explanation as to what it means by a “code vulnerability,” how its data came to be taken, or by whom. There has been a media report that the data is now freely available on the internet, but, according to that report, Lending Tree has denied that the data circulating online originated with the company.

Lending Tree is offering affected individuals two years of complimentary identity monitoring services through IdentityForce. The deadline for enrollment in IdentityForce services is 90 days from the date of the letter.

Special California Laws Protect You

California has laws that specifically protect your personal information.

  • The California Customer Records Act(CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
  • The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.

If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security procedures, an affected California resident can sue to protect their rights under the CCPA and CCRA. 

If you are a California resident and received a Recent Notice of Data Breach from Lending Tree you may be entitled to between $100 and $750 or your actual damages, whichever is greater.

Participants in data breach lawsuits can recover damagesinjunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

Two Years of Identity Theft Services May Not Be Enough

▸ Electronic Personal Data Doesn’t Degrade

It is an unfortunate reality that cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate is approximately $20 per record depending on the type of information, according to Privacy Affairs Dark Web Index of 2021.

Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible, or almost impossible, to change.

Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

It Pays To Know What Credit Monitoring Services Can Do For You

It is important to understand the benefits and limitations of any identity theft services. Not all credit monitoring and identity theft services offer the same protections nor cover the same length of time.

Before signing up with any credit monitoring service, some useful questions to ask include:

  • Does this service offer dark web monitoring?
  • Does the service monitor all three major credit bureaus on my behalf? (for example, the IdentityForce service outlined in the Data Breach Notice offers Single Bureau Credit Monitoring)
  • Does the service come with insurance to cover any immediate financial losses I might have as a result of this data breach? What proof of loss do I have to show? How am I reimbursed?
  • What happens if I have financial losses after the service expires?
  • Does this service assist with fraudulently filed tax returns? Medical identity theft?
  • What exactly will the service do for me if my personal information is sold on the dark web?
  • Can the service stop fraudulent charges from being made on my credit cards? Will it reimburse me if fraudulent charges are made?

Compromised SSNs Can Be a Complicated Problem

  1. A hacker with your SSN can use it to get other personal information about you.
  2. Identity thieves can use your SSN and name to apply for credit under your name. When the new credit cards are used by the thieves and they don’t pay, it damages your credit. You may not become aware of the scam until creditors start contacting you for non-payment of the thief’s bills, or you are denied credit.
  3. Stolen SSNs can be used to fraudulently file taxes, apply for jobs, and receive other government benefits.

“Keep in mind that a new [SSN] probably won’t solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number.

Along with other personal information, credit reporting companies use the number to identify your credit record. So using a new number won’t guarantee you a fresh start. This is especially true if your other personal information, such as your name and address, remains the same.” (Social Security Administration Publication No. 05-10064 July 2021.)

Once you know your personal data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses.

Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers.

However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[1] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[2]


[1] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[2] Same