LendingTree, an IAC subsidiary that connects online borrowers with mortgage, credit card and auto loans, has suffered a major insider breach that exposed sensitive user files to lenders.

The company sent out e-mails to customers affected by the breach, warning that "several former employees may have taken Company passwords and given them to a handful of lenders."

LendingTree identified three lenders that received the stolen data and said lawsuits have been filed. The lenders are Newport Lending Group, of Irvine, Calif.; Home Loan Consultants Inc., of Newport Beach, Calif.; and Sage Credit Co., of Irvine, Calif.

The company did not say when the password heist occurred or how many customers were affected.

From a FAQ posted on the LendingTree Web site:

These lenders then used the passwords to access LendingTree customer information files, normally available only to LendingTree-approved lenders, to market loans to LendingTree's customers. The files contained loan request data such as name, address, email address, telephone number, Social Security number, income and employment information.

The company said no credit card information (account numbers or account balances) were involved in the data hijack.

"We have no evidence that any identity theft or consumer fraud has resulted from this situation," according to the LendingTree FAQ.

As StillSecure's Alan Shimel points out, this looks and smells like big-time corporate espionage.

* Photo credit: d70focus (Creative Commons 2.0).