Mortgage company, insurance comparison site both in legal crosshairs
Last year, hackers managed to infiltrate a cloud database hosted by cloud data analytics company Snowflake. Shares fell in LendingTree when the lender announced on June 10 that there had been an incident. Although the company initially thought that financial data had not been compromised, it quickly turned out that criminals were auctioning off QuoteWizard customer data on online forums.
It now appears that LendingTree and its subsidiary, QuoteWizard, are facing a proposed consumer class action lawsuit following a data breach that allegedly exposed the personal information of "hundreds of millions of consumers."
The lawsuit, filed Monday in a North Carolina federal court by plaintiffs Linda Pierce and Nathan Thomas, accuses the online lending platform of negligence. The complaint alleges that the Charlotte-based company and QuoteWizard failed to implement adequate security measures while using cloud storage services provided by Snowflake, ultimately compromising consumer data.
According to Pierce and Thomas, the breach was the result of "basic data security failings on the part of defendants", claiming that LendingTree and QuoteWizard "flouted relevant governmental guidance, regulations, statutes" and ignored industry best practices.
Pierce, a Texas resident, and Thomas, from Washington state, both reported using LendingTree’s services. Pierce recalled applying for a loan through a LendingTree web-based application within the past two years, while Thomas described himself as a "frequent user" of the platform.
Both plaintiffs received notification letters from QuoteWizard in July 2024, informing them that they had been affected by the breach. Pierce reported that her compromised data included her name, home address, email, phone number, date of birth, driver's license number, Social Security number, and certain financial information. She also stated that her personal data had since appeared on the dark web and that she had experienced a rise in spam calls and texts.
Thomas, meanwhile, said his stolen information included his name, address, email, phone number, and date of birth. He claimed to have noticed "fraudulent charges totaling approximately $400" in his financial accounts and discovered in late 2024 that an unauthorized bank account had been opened in his name.
Both plaintiffs emphasized that they are "very careful about sharing [their] personal information" and do not knowingly transmit unencrypted data over unsecured channels.
The plaintiffs are requesting that their claims be transferred to the District of Montana, where the Judicial Panel on Multidistrict Litigation is overseeing other lawsuits related to the Snowflake breach. The panel is handling cases involving various affected companies, including AT&T, Ticketmaster, and Advance Auto Parts Inc.
A newly filed version of the multidistrict litigation (MDL) complaint describes the breach as a "hub-and-spoke" case, with Snowflake serving as the "hub" that provides cloud storage services to multiple "spokes", such as LendingTree, which stored consumer data on its platform.
"The 'hub' in this case is defendant Snowflake, which is a company that specializes in cloud-storage technologies to warehouse and secure sensitive data, and in selling data storage and analytics products. Snowflake sells its data storage services to numerous companies, or 'spokes', who store information on Snowflake's data cloud," the MDL complaint states.
The breach affected approximately 165 companies, including prominent names such as Ticketmaster, AT&T, Advance Auto Parts, Santander Bank, and LendingTree.
The attackers exploited compromised credentials, often obtained through infostealer malware, to access customer accounts lacking multi-factor authentication. This vulnerability allowed them to exfiltrate substantial amounts of sensitive data.
