LendingTree hit with suit connected to Snowflake hack

A data breach at LendingTree's subsidiary, QuoteWizard, last year continues to affect the company today.

In a recently filed suit, two LendingTree consumers accuse the financial services marketplace of failing to have the proper safety measures in place to safeguard customer data.

"Hundreds of millions of consumers" who used LendingTree allegedly had their data leaked during a cybersecurity incident tied to a broader attack on customers of data storage company Snowflake.

Data was exposed via the Snowflake hack because Lendingtree lacked the protocols to keep it safe, including having two-factor authentication in place, the complaint argues. Following the attack, the unidentified threat actors were auctioning off the consumer data, a source told Insurance Journal last year.

"These companies collectively flouted relevant governmental guidance, regulations, statutes, and industry standards," Linda Pierce, a Texas-resident, and Nathan Thomas, a Washington-based resident, argue in their suit filed Feb. 3. LendingTree did not immediately respond to a request for comment Thursday.

The financial services platform previously denied that the breach compromised its data, noting the attack "didn't affect information linked to the parent company or financial account information of QuoteWizard customers."

But the plaintiffs argue otherwise. 

Pierce and Thomas claim they both experienced fraud-related events in the aftermath of the attack. Pierce, who applied for a loan through Lendingtree, has seen a surge of notices from a credit monitoring company that her personal information was on the dark web. She has also been bombarded with spam calls and texts, litigation said.

Meanwhile, Thomas, who experienced similar grievances to Pierce, also had fraudulent charges on his card totaling $400 and an unauthorized bank account was opened in his name.

Both plaintiffs, who are asking a North Carolina federal court to certify the suit as a class action, say they've spent ample time and expenses mitigating the imminent and substantial risk of data misuse. They are also asking for undisclosed monetary damages. 

Similar class-action suits filed against other big players in the financial services space, such as Mr. Cooper and Academy Mortgage, have struggled to prove that leaked PII caused harm to all consumers included in the complaints. Mr. Cooper has argued that plaintiffs suing it for its hack — which leaked the social security numbers of 14.7 million customers — cannot prove Article III injury. (This standing requires plaintiffs to show they suffered or are about to suffer a concrete harm that is caused by the defendant's actions.) 

This is despite plaintiffs previously detailing several alleged aftermaths of the hack, including one Mr. Cooper customer having $25,000 stolen from her Charles Schwab account and another having 11 credit cards opened in their name.

The mortgage servicer has moved to dismiss the suit, though the case as of Feb. 6 is still pending. The lawsuit filed against Academy Mortgage over its 2023 hack was recently dismissed for failing to provide sufficient evidence of harm.