Personal information of about 56,000 Maryland consumers was compromised when several former employees of LendingTree.com, an online mortgage lending exchange, gave three mortgage brokers unauthorized access to company databases, according to state records.
Charlotte, N.C.-based LendingTree's internal security discovered the breach in early February, according to an April 17 letter sent to the Maryland attorney general's office. An investigation revealed that the former employees divulged passwords for company databases containing consumer information. Three California-based brokerages used the information to market loans to about 5,600 customers nationwide between December and February, according to the letter.
However, because the databases contained the names, dates of birth, Social Security numbers and income information for more than 56,000 Maryland customers who contacted LendingTree from October 2006 to December, the company sent letters to all of them about the security breach.
"LendingTree has no indication that the customer information was used for any purpose other than to solicit our customers for mortgage loans," the company wrote the Maryland attorney general. "In essence, we believe this situation involves three mortgage companies that wished to market mortgage loans without paying fees to LendingTree."
A company spokeswoman contacted yesterday declined to comment about the incident.
The brokers "illegitimately got their information for a legitimate business purpose," said Hugh Williams of the Maryland attorney general's office's identity theft program.
LendingTree is "informing many more people than may be affected so they can take the steps they need to protect themselves," he said.
Those who received letters should review their credit reports to verify that no fraudulent accounts had been opened in their names, Williams said.
LendingTree is also pursuing civil lawsuits against the companies and employees involved, according to an April 21 letter sent to affected consumers. LendingTree also contacted the FBI, which has been investigating the situation, according to the company. The company has also enhanced its security systems, the letter states.
The incident is one of 67 data breaches reported under Maryland's security-breach law, which went into effect in January. The law requires businesses that have data breaches involving Maryland residents to report the incidents to the state attorney general's office and to inform those affected.
The state ID theft program maintains a list of data breaches on its Web site, http:--www.oag.state.md.us/idtheft/breacheNotices.htm.