LendingTree, QuoteWizard Face Class Action Lawsuit Over Snowflake Data Breach

LendingTree and its subsidiary, QuoteWizard, are facing a proposed class action lawsuit following a data breach that exposed the personal information of millions of consumers. The breach allegedly occurred due to a vulnerability in the online storage service provided by cloud data analytics company Snowflake. 

• • Hackers accessed LendingTree and QuoteWizard customer data stored on Snowflake’s cloud storage service.
  • Plaintiffs claim LendingTree and QuoteWizard failed to implement adequate security measures.
  • The case touches on the shared responsibility model in cloud-based data storage.
  • It may be transferred to Montana, where other Snowflake data breach lawsuits are consolidated.
  • Milberg Senior Partner Scott C. Harris is representing the plaintiffs. 

The LendingTree, QuoteWizard, and Snowflake Nexus

LendingTree helps people find the best terms for loans, credit cards, insurance, and other financial products. It is the parent company of QuoteWizard, which specializes in insurance comparison services, including auto, home, and life insurance. When a user is looking for insurance through LendingTree, they might be directed to QuoteWizard’s platform to compare insurance quotes. 

None of the Defendants implemented three of the most basic and rudimentary cybersecurity policies to protect Personal Information, including most prominently, multifactor authentication. The foreseeable result? A data breach.

Snowflake Inc. is a cloud-based data storage and warehousing company whose platform allows users to store, analyze, and share data. LendingTree and QuoteWizard used Snowflake’s cloud storage services to store consumer data, resulting in both companies being impacted by a recent data breach that involved hackers gaining access to sensitive customer data stored on the Snowflake cloud platform.

The Data Breach

In June 2024, hackers exploited a security flaw in Snowflake’s cloud storage system, gaining unauthorized access to the personal data of LendingTree and QuoteWizard customers. The compromised information included names, addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, and financial information.

The Lawsuit

LendingTree users Linda Pierce and Nathan Thomas filed a data breach lawsuit complaint in U.S. District Court for the Western District of North Carolina. They allege that LendingTree and QuoteWizard were negligent and violated consumer protection laws because they did not keep their personal information secure.

Claims

The lawsuit claims that defendants LendingTree and QuoteWizard “flouted relevant governmental guidance, regulations, statutes, and industry standards” and ignored industry best practices for data security. Plaintiffs argue that the companies should have implemented stronger security measures, such as multi-factor authentication, to protect their personal information. 

Impact on Plaintiffs and Class

Pierce and Thomas report experiencing various forms of harm following the breach, including fraudulent charges, unauthorized bank account openings, and an increase in spam calls and texts. They also expressed concerns about the long-term risks of identity theft and the potential misuse of their stolen information.

Multidistrict Litigation

Plaintiffs Pierce and Thomas have requested that the case be transferred to the District of Montana, where the Judicial Panel on Multidistrict Litigation is overseeing other lawsuits related to the Snowflake breach.

According to reports, the Snowflake data breach potentially impacted around 165 companies. In addition to LendingTree, notable victims of the breach include AT&T, Ticketmaster, Santander Group, and Advance Auto Parts. Cyber security experts say it could be one of the largest-ever breaches. 

Legal Issues

The case, and the related MDL, could add to case law about how liability is determined in data breach incidents involving cloud service providers and their clients.

In their North Carolina class action complaint, plaintiffs argue that LendingTree and QuoteWizard are ultimately responsible for the security and privacy of their customers’ information. However, in the Montana MDL, if evidence shows that Snowflake’s security measures were inadequate, Snowflake could face liability as well.

The Judicial Panel on Multidistrict Litigation states that “Snowflake’s security practices will be a particularly important issue given the common allegation that Snowflake operates within a ‘shared responsibility’ cybersecurity model and is jointly responsible with its corporate clients for protecting information held on the Snowflake cloud.”

The court will examine factors such as the nature of the vulnerabilities that led to the breach, the contractual agreements between Snowflake and its cloud storage clients, and if the affected companies, like LendingTree, took adequate steps to protect their data within Snowflake’s platform.

It’s possible that both Snowflake and its clients will end up bearing some liability for the data breach. Snowflake might be held responsible for any vulnerabilities in its platform that contributed to the breach, while the individual companies might be liable for security shortcomings on their end.

Milberg’s Nation-Leading Cybersecurity Practice

Milberg is currently involved in some of the nation’s largest and most complex class action lawsuits and has played a key role in developing case law favorable to plaintiffs in the cybersecurity and privacy space.

Over the past three years, Milberg has settled on a class-wide basis more than fifty (50) actions involving privacy violations in state and federal courts across the country as lead or co-lead counsel. No other plaintiffs’ class action firm in the country has settled and won court approval of more data breach and data privacy class actions during this time period.

The firm also filed the fifth most class action lawsuits of any firm nationwide from 2021 to 2023 and over the same period filed the third most consumer protection lawsuits.