LendingTree Class Action Lawsuit Alleges Data Breach Caused by “Reckless” Use of Snowflake Cloud Servers

Cloud storage company Snowflake has already been implicated in data breach lawsuits involving Ticketmaster, AT&T and Advance Auto Parts.

Snowflake, Inc. has been named as the “hub” in a series of “hub-and-spoke” data breach lawsuits, which have included Ticketmaster, AT&T and Advance Auto Parts, as well as the most recently implicated “spoke”, LendingTree.

In a complaint (PDF) filed in the U.S. District Court for the Western District of North Carolina on February 3, Linda Pierce and Nathan Thomas claim that their personally identifiable information was compromised through a LendingTree data breach linked to security problems with Snowflake servers.

Snowflake is a cloud-based data warehouse platform, which allows other organizations to use their servers to store, process, and analyze large amounts of records. Among Snowflake’s customers are a handful of companies that have been the subject of high profile data breaches in recent years, including AT&T and Ticketmaster.

Although Snowflake has reportedly denied that either of those data breaches were due to cybersecurity failures on its end, the company has still been named as a defendant in a growing number of AT&T lawsuits and Ticketmaster lawsuits concerning cybersecurity events affecting customers of both those companies.

Snowflake now faces another lawsuit linked to cybersecurity failures, stemming from a data breach at LendingTree in June 2024, adding to the mounting accusations against the company.

LendingTree Data Breach Lawsuit

In the new LendingTree data breach lawsuit, Pierce claims that she received a letter from LendingTree’s insurance marketplace, QuoteWizard, dated July 20, 2024, informing her that her personal information was potentially compromised in a data breach.

According to Pierce, she had provided LendingTree with her name, home address, email address, phone number, date of birth, driver’s license number, Social Security number and financial information. Since receiving the QuoteWizard letter, Pierce has learned through a credit monitoring service that her personally identifiable information has been found on the dark web, where hackers often post and sell the information they acquire illegally.

Thomas claims that he provided LendingTree with his name, address, email address, phone number and date of birth. Following the data breach in June 2024, he indicates there have been multiple fraudulent charges for $400 each to his accounts, as well as an unauthorized bank account opened in his name, both of which he attributes to information acquired through the LendingTree data breach.

The cause of the data breach was LendingTree’s “reckless” use of Snowflake’s cloud-based servers to store customers’ personal identifying information, according to the lawsuit.

Pierce and Thomas are filing their complaint on behalf of themselves and others similarly situated, claiming negligence and violation of applicable state consumer protection laws on the part of defendants LendingTree and QuoteWizard. They are seeking injunctive relief, compensatory, consequential, general and nominal damages, as well as punitive or exemplary damages.

Snowflake Data Breach Lawsuits Continue To Grow

In addition to the lawsuit filed against LendingTree, Pierce and Thomas have added their names to another class action complaint (PDF) filed against Snowflake in the U.S. District Court for the District of Montana on February 3.

In the Montana complaint, Pierce, Thomas and multiple other plaintiffs name Snowflake, Inc. as the sole defendant, claiming that the company acts as a data storing hub for multiple spokes, including AT&T, Ticketmaster, Advance Auto Parts and LendingTree.

Snowflake has been responsible for multiple data breaches, the complaint alleges, most of which were due to the company not using three industry-standard cybersecurity protection policies, including multi factor authentication.

As a result, the criminal cybergang UNC5537 was able to obtain compromised credentials for many of Snowflake’s “spoke” accounts, allowing the personal information of those spokes’ customers to be accessed, stolen and sold on the dark web.

“Plaintiffs and Class Members now face the real and actual harm that the Data Breach has caused them and will continue to cause them,” the lawsuit states. “Not only have cybercriminals obtained valuable and sensitive Personal Information about them, but that information has been obtained by other criminals and offered for resale to still more criminals. As a result, Plaintiffs and Class Members have already experienced fraud or attempted fraud, an invasion of their privacy, time and expenses spent mitigating the imminent and substantial risk of data misuse, and are at significant risk of identity theft, reputational harm, and other injuries.”

The plaintiffs in the Snowflake case are asking that their claims of negligence and violation of the Montana Unfair Trade Practices and Consumer Protection Act be transferred to the Snowflake lawsuit MDL (multidistrict litigation) currently before U.S. District Judge Brian Morris in the District of Montana.