Categories

• Automation
• Compliance
• Consolidation
• Data Protection
• Networking News
• News
• RAID
• Security News
• Sencilo News
• Storage News
• Uncategorized
• Vendor News
• Virtualization

Archived by Date

• June 2011
• May 2011
• April 2011
• March 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008

LendingTree's Poor Security Practices are the cause for Data Breach - April 23, 2008

Orlando, FL - based LendingTree is warning customers that their personal data may have been compromised by its former employees who used their passwords to pilfer the data from the company's systems.

In an email to customers, LendingTree said the former employees helped some mortgage lenders gain access to its customer database by sharing their confidential passwords. The data was used by those lenders to market their own mortgage loans.

The lenders accessed LendingTree's loan request forms between October 2006 and early 2008. The breached data includes names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.

LendingTree said customer loan request forms are normally available only to LendingTree-approved lenders, to market loans to those customers.

In the email to customers, the company said it has no evidence that any identity theft or consumer fraud has resulted from the breach.  I'd be surprise to hear if LendingTree even made an effort to valid this statement, said one LendingTree client. 

"When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation," LendingTree said. "We promptly made several system security changes. We also brought lawsuits against those involved."  What LendingTree should of been doing is keeping the horse in the barn with harden security rather then after the horse is down the road, meaning we are investigation, come on. 

Security experts and analysts said the breach is likely the result of a breakdown in policy and the company's user provisioning system. The system is used to grant access rights to systems and applications when employees change roles within an organization.

Companies should conduct an identity audit process every three to six months to discover passwords still available to terminated employees, said Brian McCarthy President of Sencilo Solutions and long time security expert.    If LendingTree conducted the audit, the breach probably could have been prevented, McCarthy said.

"It's important to have a user provisioning system that will disable employee access when they leave the company," Cser said.

Companies in the financial services industry are furthest along deploying provisioning systems, but the trend is gaining ground in other industries, Cser said. Adoption is being driven primarily for compliance and the need to reduce IT cycle times.

"We're seeing transition from implementing Web access management systems towards user account provisioning," he said. "We predict the biggest gains will come from user account provisioning systems and their adoption."

Insiders are involved in about half of all data breach cases, but many firms are so focused on hardening the perimeter that insider threats are neglected, said Brian Cleary, vice president of marketing at access management vendor, Juniper Networks.

"This is a case of really poor policy automation and a fundamental lack of good access governance which now has exposed LendingTree to a potential liability," Cleary said.

Many firms discover during an access review a number of orphaned accounts existing within the organization that provide access privileges but don't map back to a particular user, Cleary said. Access review in an organization typically falls on the CISO, but other parts of the company are involved, Cleary said. Business units are in a good position to certify an employee has the right privileges and the company's audit and compliance team understand the policies and set them to the right business rules to create a set of controls.

LendingTree advised customers to obtain and monitor their credit reports and referred them to a LendingTree credit protection page on its website. LendingTree also set up a breach faq outlining the situation to customers.
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/mainservices.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words:  Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing Orlando, FL - based LendingTree is warning customers that their personal data may have been compromised by its former employees who used their passwords to pilfer the data from the company's systems.

In an email to customers, LendingTree said the former employees helped some mortgage lenders gain access to its customer database by sharing their confidential passwords. The data was used by those lenders to market their own mortgage loans.

The lenders accessed LendingTree's loan request forms between October 2006 and early 2008. The breached data includes names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.

LendingTree said customer loan request forms are normally available only to LendingTree-approved lenders, to market loans to those customers.

In the email to customers, the company said it has no evidence that any identity theft or consumer fraud has resulted from the breach.  I'd be surprise to hear if LendingTree even made an effort to valid this statement, said one LendingTree client. 

"When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation," LendingTree said. "We promptly made several system security changes. We also brought lawsuits against those involved."  What LendingTree should of been doing is keeping the horse in the barn with harden security rather then after the horse is down the road, meaning we are investigation, come on. 

Security experts and analysts said the breach is likely the result of a breakdown in policy and the company's user provisioning system. The system is used to grant access rights to systems and applications when employees change roles within an organization.

Companies should conduct an identity audit process every three to six months to discover passwords still available to terminated employees, said Brian McCarthy President of Sencilo Solutions and long time security expert.    If LendingTree conducted the audit, the breach probably could have been prevented, McCarthy said.

"It's important to have a user provisioning system that will disable employee access when they leave the company," Cser said.

Companies in the financial services industry are furthest along deploying provisioning systems, but the trend is gaining ground in other industries, Cser said. Adoption is being driven primarily for compliance and the need to reduce IT cycle times.

"We're seeing transition from implementing Web access management systems towards user account provisioning," he said. "We predict the biggest gains will come from user account provisioning systems and their adoption."

Insiders are involved in about half of all data breach cases, but many firms are so focused on hardening the perimeter that insider threats are neglected, said Brian Cleary, vice president of marketing at access management vendor, Juniper Networks.

"This is a case of really poor policy automation and a fundamental lack of good access governance which now has exposed LendingTree to a potential liability," Cleary said.

Many firms discover during an access review a number of orphaned accounts existing within the organization that provide access privileges but don't map back to a particular user, Cleary said. Access review in an organization typically falls on the CISO, but other parts of the company are involved, Cleary said. Business units are in a good position to certify an employee has the right privileges and the company's audit and compliance team understand the policies and set them to the right business rules to create a set of controls.

LendingTree advised customers to obtain and monitor their credit reports and referred them to a LendingTree credit protection page on its website. LendingTree also set up a breach faq outlining the situation to customers.
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/mainservices.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words:  Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing
Orlando, FL - based LendingTree is warning customers that their personal data may have been compromised by its former employees who used their passwords to pilfer the data from the company's systems.

In an email to customers, LendingTree said the former employees helped some mortgage lenders gain access to its customer database by sharing their confidential passwords. The data was used by those lenders to market their own mortgage loans.

The lenders accessed LendingTree's loan request forms between October 2006 and early 2008. The breached data includes names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.

LendingTree said customer loan request forms are normally available only to LendingTree-approved lenders, to market loans to those customers.

In the email to customers, the company said it has no evidence that any identity theft or consumer fraud has resulted from the breach.  I'd be surprise to hear if LendingTree even made an effort to valid this statement, said one LendingTree client. 

"When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation," LendingTree said. "We promptly made several system security changes. We also brought lawsuits against those involved."  What LendingTree should of been doing is keeping the horse in the barn with harden security rather then after the horse is down the road, meaning we are investigation, come on. 

Security experts and analysts said the breach is likely the result of a breakdown in policy and the company's user provisioning system. The system is used to grant access rights to systems and applications when employees change roles within an organization.

Companies should conduct an identity audit process every three to six months to discover passwords still available to terminated employees, said Brian McCarthy President of Sencilo Solutions and long time security expert.    If LendingTree conducted the audit, the breach probably could have been prevented, McCarthy said.

"It's important to have a user provisioning system that will disable employee access when they leave the company," Cser said.

Companies in the financial services industry are furthest along deploying provisioning systems, but the trend is gaining ground in other industries, Cser said. Adoption is being driven primarily for compliance and the need to reduce IT cycle times.

"We're seeing transition from implementing Web access management systems towards user account provisioning," he said. "We predict the biggest gains will come from user account provisioning systems and their adoption."

Insiders are involved in about half of all data breach cases, but many firms are so focused on hardening the perimeter that insider threats are neglected, said Brian Cleary, vice president of marketing at access management vendor, Juniper Networks.

"This is a case of really poor policy automation and a fundamental lack of good access governance which now has exposed LendingTree to a potential liability," Cleary said.

Many firms discover during an access review a number of orphaned accounts existing within the organization that provide access privileges but don't map back to a particular user, Cleary said. Access review in an organization typically falls on the CISO, but other parts of the company are involved, Cleary said. Business units are in a good position to certify an employee has the right privileges and the company's audit and compliance team understand the policies and set them to the right business rules to create a set of controls.

LendingTree advised customers to obtain and monitor their credit reports and referred them to a LendingTree credit protection page on its website. LendingTree also set up a breach faq outlining the situation to customers.
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/mainservices.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words:  Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing Orlando, FL - based LendingTree is warning customers that their personal data may have been compromised by its former employees who used their passwords to pilfer the data from the company's systems.

In an email to customers, LendingTree said the former employees helped some mortgage lenders gain access to its customer database by sharing their confidential passwords. The data was used by those lenders to market their own mortgage loans.

The lenders accessed LendingTree's loan request forms between October 2006 and early 2008. The breached data includes names, addresses, email addresses, telephone numbers, Social Security numbers, and income and employment information.

LendingTree said customer loan request forms are normally available only to LendingTree-approved lenders, to market loans to those customers.

In the email to customers, the company said it has no evidence that any identity theft or consumer fraud has resulted from the breach.  I'd be surprise to hear if LendingTree even made an effort to valid this statement, said one LendingTree client. 

"When we learned of this situation, we quickly contacted the authorities, and LendingTree is helping with their investigation," LendingTree said. "We promptly made several system security changes. We also brought lawsuits against those involved."  What LendingTree should of been doing is keeping the horse in the barn with harden security rather then after the horse is down the road, meaning we are investigation, come on. 

Security experts and analysts said the breach is likely the result of a breakdown in policy and the company's user provisioning system. The system is used to grant access rights to systems and applications when employees change roles within an organization.

Companies should conduct an identity audit process every three to six months to discover passwords still available to terminated employees, said Brian McCarthy President of Sencilo Solutions and long time security expert.    If LendingTree conducted the audit, the breach probably could have been prevented, McCarthy said.

"It's important to have a user provisioning system that will disable employee access when they leave the company," Cser said.

Companies in the financial services industry are furthest along deploying provisioning systems, but the trend is gaining ground in other industries, Cser said. Adoption is being driven primarily for compliance and the need to reduce IT cycle times.

"We're seeing transition from implementing Web access management systems towards user account provisioning," he said. "We predict the biggest gains will come from user account provisioning systems and their adoption."

Insiders are involved in about half of all data breach cases, but many firms are so focused on hardening the perimeter that insider threats are neglected, said Brian Cleary, vice president of marketing at access management vendor, Juniper Networks.

"This is a case of really poor policy automation and a fundamental lack of good access governance which now has exposed LendingTree to a potential liability," Cleary said.

Many firms discover during an access review a number of orphaned accounts existing within the organization that provide access privileges but don't map back to a particular user, Cleary said. Access review in an organization typically falls on the CISO, but other parts of the company are involved, Cleary said. Business units are in a good position to certify an employee has the right privileges and the company's audit and compliance team understand the policies and set them to the right business rules to create a set of controls.

LendingTree advised customers to obtain and monitor their credit reports and referred them to a LendingTree credit protection page on its website. LendingTree also set up a breach faq outlining the situation to customers.
For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/mainservices.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words:  Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing