On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It

from the well,-that's-useful dept

Weren't we just discussing the idea of criminal liability for egregious security problems with data? And... weren't we also just discussing Sears' offering to install spyware on your computer without much notice and all in the name of community? Well, let's combine those two stories. Ben Edelman has been doing some more digging on the Sears website and discovered a rather massive security hole allowing you to look up the purchases at Sears of just about anyone so long as you know their name, address and telephone number. As Edelman notes, this appears to be in direct violation of Sears' own privacy policy (and, well, common sense, but that's a different story...). So, now, Sears.com is spying on users without making it all that clear and revealing all customer purchase data with poorly implemented security. It's not a particularly comforting picture.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    You never know, Jan 4th, 2008 @ 9:19am

    I knew there was a reason I don't like shopping at Sears...

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jan 4th, 2008 @ 9:21am

    oooooh

    Now that's what I call community!

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jan 4th, 2008 @ 9:44am

    Wow, stupid Sears

    So I guess Facebook isn't the only stupid corporation around. I just tried this and up popped my parents Sears purchases. Insane

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Jan 4th, 2008 @ 9:56am

    This is why it was a better idea to have stiffer penalties for those that violate the anti spyware laws. To most companies a small fine does nothing to them. Just pay the fine, and move on. They can add the extra expense to the customers purchases, and still smell like a rose. But a major fine hits their pockets. Not so easy to pass on to the customer. Pay one or a couple of those, and you will think twice.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Sean, Jan 4th, 2008 @ 9:58am

    What's the crime?

    Unfortunately, having lousy security is not against the law. The free market system fixes problems like this. My question is why has no TV news magazine presented the same evidence as a "public service."

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Smertguy, Jan 4th, 2008 @ 10:07am

    Re: What's the crime?

    Oh they will...

    Once they figure out how to spin it so that if you don't watch the 10 o'clock report you will DIE FROM THIS FLAW!

    Unless you'll die, someone has already died, something will blow up, or someone will die from blowing it up... thus killing someone news really doesn't have the time to add it in.

    You have to fit it between the fluff pieces on your local animal shelter animals up for adoption, the cutesy picture of kids doing some great service to mankind by selling (insert crappy item here) for (insert crappy charity here), and the sensationalized coverage of the election "Obama wins Iowa, Hillary to commit suicide?", etc etc...

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    JB, Jan 4th, 2008 @ 10:23am

    eBay History

    If I know your eBay user ID I can see everything that you have bid on or bought using the advanced search feature.

    I can also see everything you have sold. For example, I see that my nephew is selling the PS2 game I gave him. He's selling it as used, so either he beat it or he didn't like it.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    web user, Jan 4th, 2008 @ 10:41am

    first discovered issue

    For the record, "Heather" first uncovered this issue by posting a comment to the original Sears discovery here:
    http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get- spyware.aspx

    and then later followed up here:
    http://community.ca.com/blogs/securityadvisor/archive/2008/01/03/managemyhome-com-another-privacy- issue-for-sears.aspx



    "Heather said:
    OMG! Check out a sears site managemyhome.com. Once you register you can look up purchase information for ANYONE by just putting in their name address and phone number. Sears has you enter a code and says that keeps you info safe, but that is pretty useless -- I think that just prevents a script from being created, but DOES NOT stop people from entering in any eles info to get the purchase info on big ticket items -- this could bring casing someone's house to a whole new level!!

    I contacted the privace e-mail that the site provided, but no one ever responded. Anyone with any ideas about how to get this service off the web, I would be open to suggestions."

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Spybot, Jan 4th, 2008 @ 10:59am

    #7

    The difference with ebay is that as an auctioneer you build trust by showing that you sell or have sold various items with honest effort in their description and quality of service in delivery. I wouldn't buy anything on ebay if it didn't have a search like that or the feedback system. In the case of sears ( as a retailer ) all transactions are between you as a paying customer and sears the company and that transaction is assumed to be private unlike a public auction house full of people where we all expect that everybody there will know what I bought and how much I paid for it because... well then it wouldn't be auction. So the devil is in the details of public auction (ebay) and private sale ( sears ) sears has no right, without express written or digitally signed consent to sell my purchasing records . If they make that clear then they are technically in the clear because you know upfront your data is going to eventually be sold to the highest bidder you release all right to privacy. You could always shop somewhere else though I doubt many people would willingly shop at sears.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Sears Executive, Jan 4th, 2008 @ 11:09am

    Community

    In a real community, everybody knows everybody else's business, we only figured it made sense to do it this way...

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Pete, Jan 4th, 2008 @ 12:13pm

    Sears

    What is wrong with sears? And who cares if they give this info away, there is nothing to crazy that would show up. Now if it was dildos-R-us, now some crazy stuff might show up there.
    ;)

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous of Course, Jan 4th, 2008 @ 12:14pm

    Oh come on now...

    I'd like to know if this community site was
    created in house by Sears, of if they hired
    a developer to do the work. That sort of
    defect in security is for n00bs. It's the
    developer that should be castigated.

    I do not work at Sears. I do not shop at
    Sears. There is no Sears store within
    fourty miles of my home. But here's the
    news...

    Sears is in business to sell stuff- and most
    of the stuff they sell is ok. The hand tools
    are almost good. So the community web site
    was botched. Yeah, it's a problem, Sears should
    thank people for bringing it to their attention
    and fix it now. I don't see it as a rational
    basis to impune the entire company's reputation.

    This seems to excite the knee jerk reaction
    "big company, bad!" from some people. It
    seems that Big has become a pejorative term
    in nearly any case but government and fast
    food.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Jamey, Jan 4th, 2008 @ 1:13pm

    Re: Sears

    If I just bought a 50" plasma TV from Sears, I don't necessarily want some shady neighbors knowing about it.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    uh..., Jan 4th, 2008 @ 1:28pm

    just tried it

    I just tried it, and I didn't see the "search your purchases" link. Either they removed it, or I just didn't see it because I'm sorta in a rush.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Pete, Jan 4th, 2008 @ 2:01pm

    Re: Re: Sears

    But the 50+ inch box sitting on the curb for garbage pickup doesn't tell them you just bought a new TV either...

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    ehrichweiss, Jan 4th, 2008 @ 2:18pm

    Re: eBay History

    I suspect that ebay allows it because they are technically an auction site and researching a bidder's history can help in uncovering shills e.g. someone with a feedback around 0 but has bid on 100 items from the same seller and yet never purchased anything.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    ehrichweiss, Jan 4th, 2008 @ 2:19pm

    Re: #7

    That's pretty much what I was getting at. Thanks for clarifying some of those points about the relationship between Sears and its customers.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    ehrichweiss, Jan 4th, 2008 @ 2:29pm

    Re: Re: Re: Sears

    Good point(really) but someone has to actually drive around a city looking for those boxes whereas with this info being online, you can sit at home and case entire neighborhoods for loot. Then you can take your time casing the physical aspects.

    But wait, there's more.. If I know your name and telephone number and that you've made a purchase from Sears, it becomes a trivial task to social engineer other information as well.

    "Hi, this is the Sears Warranty Support Center. I see that you recently purchased one of our plasma televisions but you neglected to get an extended warranty on it."

    Customer: "What!?!?! I paid $300 for a 5 year service plan"

    "Sorry, we don't have any record of that. Can you please tell me the credit card number you used for the purchase?........and that expires when??? Hmm, sorry, I still don't show anything...oh wait, here it is...they mistyped your DOB in our system. It's all fixed now. Sorry for the inconvenience"

    It REALLY is that easy and the customer will thank the "representative" for helping resolve the "problem", and it's only that easy because all of that information is available.

    P.S. We take all of the boxes to any expensive items and put them in front of some neighbor's house that we don't like. We do this regardless if it's Xmas or the like. So this year I imagine that some crackhead will break in trying to find their new Wii.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    weebit, Jan 4th, 2008 @ 7:16pm

    Re: Re: Sears

    I am going to agree with you on this. If I make a major purchase ...what is my guarantee that the person checking my purchases is not staking me out in order to commit a crime of burglary?

    To some this kind of info looks innocent enough, but to others it looks like a gold mind. Look up a neighborhood of names from mailboxes, or discarded mail, and have a field day on the few Holidays we do have each year. Just by checking out whom bought what, when, and how much that product may be worth on the streets.

    I get the shivers just thinking about this. Bad idea on the part of Sears.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    heather, Jan 5th, 2008 @ 10:22am

    Re: What's the crime?

    Well, Sean, first of all, Sears is violating thier own privacy policy by giving out customer information to the general public. Secondly, this most likely also violates thier agrements with Visa and MC.

    In regards to the general media -- Sears was smart to pull the function very quickly before the media got a hold of it. I wonder if all the blogging increased traffic of hackers and people entering multiple addresses. They certainly did scurry to get the info off the website. I did see articles on yahoo news, abc news and the washington post, so although it has not gotten TV press, the word is spreading.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    heather, Jan 5th, 2008 @ 12:40pm

    Interested in Class Action

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    mike m, Jan 7th, 2008 @ 7:40am

    Yes, the real buffoon here is Jim Hilt the director of Manage My Home. See this article that Ben highlighted in his article about what Manage My Home was doing. Jim is freely talking about the benefit.

    http://findarticles.com/p/articles/mi_qn4155/is_20071109/ai_n21104858

    This guy definitely gets the award for the stupidest web marketer of the year! Think I’ll shoot him and Alwyn an e-mail and let them know what I think about them giving out my personal information to the general public. Since they were so free with my info, I don’t have a problem sharing their info -- I got Alwyn’s e-mail address from a posting on the ca website Alewis1@searshc.com -- I would guess that Jim’s e-mail address is Jhilt00@searshc.com or jhilt01@searshc.com.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This