On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It

from the well,-that's-useful dept

Weren’t we just discussing the idea of criminal liability for egregious security problems with data? And… weren’t we also just discussing Sears’ offering to install spyware on your computer without much notice and all in the name of community? Well, let’s combine those two stories. Ben Edelman has been doing some more digging on the Sears website and discovered a rather massive security hole allowing you to look up the purchases at Sears of just about anyone so long as you know their name, address and telephone number. As Edelman notes, this appears to be in direct violation of Sears’ own privacy policy (and, well, common sense, but that’s a different story…). So, now, Sears.com is spying on users without making it all that clear and revealing all customer purchase data with poorly implemented security. It’s not a particularly comforting picture.

Filed Under: , , ,
Companies: sears

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It”

Subscribe: RSS Leave a comment
22 Comments
Anonymous Coward says:

This is why it was a better idea to have stiffer penalties for those that violate the anti spyware laws. To most companies a small fine does nothing to them. Just pay the fine, and move on. They can add the extra expense to the customers purchases, and still smell like a rose. But a major fine hits their pockets. Not so easy to pass on to the customer. Pay one or a couple of those, and you will think twice.

Smertguy says:

Re: What's the crime?

Oh they will…

Once they figure out how to spin it so that if you don’t watch the 10 o’clock report you will DIE FROM THIS FLAW!

Unless you’ll die, someone has already died, something will blow up, or someone will die from blowing it up… thus killing someone news really doesn’t have the time to add it in.

You have to fit it between the fluff pieces on your local animal shelter animals up for adoption, the cutesy picture of kids doing some great service to mankind by selling (insert crappy item here) for (insert crappy charity here), and the sensationalized coverage of the election “Obama wins Iowa, Hillary to commit suicide?”, etc etc…

heather says:

Re: What's the crime?

Well, Sean, first of all, Sears is violating thier own privacy policy by giving out customer information to the general public. Secondly, this most likely also violates thier agrements with Visa and MC.

In regards to the general media — Sears was smart to pull the function very quickly before the media got a hold of it. I wonder if all the blogging increased traffic of hackers and people entering multiple addresses. They certainly did scurry to get the info off the website. I did see articles on yahoo news, abc news and the washington post, so although it has not gotten TV press, the word is spreading.

web user says:

first discovered issue

For the record, “Heather” first uncovered this issue by posting a comment to the original Sears discovery here:
http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx

and then later followed up here:
http://community.ca.com/blogs/securityadvisor/archive/2008/01/03/managemyhome-com-another-privacy-issue-for-sears.aspx

“Heather said:
OMG! Check out a sears site managemyhome.com. Once you register you can look up purchase information for ANYONE by just putting in their name address and phone number. Sears has you enter a code and says that keeps you info safe, but that is pretty useless — I think that just prevents a script from being created, but DOES NOT stop people from entering in any eles info to get the purchase info on big ticket items — this could bring casing someone’s house to a whole new level!!

I contacted the privace e-mail that the site provided, but no one ever responded. Anyone with any ideas about how to get this service off the web, I would be open to suggestions.”

Spybot says:

#7

The difference with ebay is that as an auctioneer you build trust by showing that you sell or have sold various items with honest effort in their description and quality of service in delivery. I wouldn’t buy anything on ebay if it didn’t have a search like that or the feedback system. In the case of sears ( as a retailer ) all transactions are between you as a paying customer and sears the company and that transaction is assumed to be private unlike a public auction house full of people where we all expect that everybody there will know what I bought and how much I paid for it because… well then it wouldn’t be auction. So the devil is in the details of public auction (ebay) and private sale ( sears ) sears has no right, without express written or digitally signed consent to sell my purchasing records . If they make that clear then they are technically in the clear because you know upfront your data is going to eventually be sold to the highest bidder you release all right to privacy. You could always shop somewhere else though I doubt many people would willingly shop at sears.

ehrichweiss says:

Re: Re: Re: Sears

Good point(really) but someone has to actually drive around a city looking for those boxes whereas with this info being online, you can sit at home and case entire neighborhoods for loot. Then you can take your time casing the physical aspects.

But wait, there’s more.. If I know your name and telephone number and that you’ve made a purchase from Sears, it becomes a trivial task to social engineer other information as well.

“Hi, this is the Sears Warranty Support Center. I see that you recently purchased one of our plasma televisions but you neglected to get an extended warranty on it.”

Customer: “What!?!?! I paid $300 for a 5 year service plan”

“Sorry, we don’t have any record of that. Can you please tell me the credit card number you used for the purchase?……..and that expires when??? Hmm, sorry, I still don’t show anything…oh wait, here it is…they mistyped your DOB in our system. It’s all fixed now. Sorry for the inconvenience”

It REALLY is that easy and the customer will thank the “representative” for helping resolve the “problem”, and it’s only that easy because all of that information is available.

P.S. We take all of the boxes to any expensive items and put them in front of some neighbor’s house that we don’t like. We do this regardless if it’s Xmas or the like. So this year I imagine that some crackhead will break in trying to find their new Wii.

weebit (user link) says:

Re: Re: Sears

I am going to agree with you on this. If I make a major purchase …what is my guarantee that the person checking my purchases is not staking me out in order to commit a crime of burglary?

To some this kind of info looks innocent enough, but to others it looks like a gold mind. Look up a neighborhood of names from mailboxes, or discarded mail, and have a field day on the few Holidays we do have each year. Just by checking out whom bought what, when, and how much that product may be worth on the streets.

I get the shivers just thinking about this. Bad idea on the part of Sears.

Anonymous of Course says:

Oh come on now...

I’d like to know if this community site was
created in house by Sears, of if they hired
a developer to do the work. That sort of
defect in security is for n00bs. It’s the
developer that should be castigated.

I do not work at Sears. I do not shop at
Sears. There is no Sears store within
fourty miles of my home. But here’s the
news…

Sears is in business to sell stuff- and most
of the stuff they sell is ok. The hand tools
are almost good. So the community web site
was botched. Yeah, it’s a problem, Sears should
thank people for bringing it to their attention
and fix it now. I don’t see it as a rational
basis to impune the entire company’s reputation.

This seems to excite the knee jerk reaction
“big company, bad!” from some people. It
seems that Big has become a pejorative term
in nearly any case but government and fast
food.

mike m says:

Yes, the real buffoon here is Jim Hilt the director of Manage My Home. See this article that Ben highlighted in his article about what Manage My Home was doing. Jim is freely talking about the benefit.

http://findarticles.com/p/articles/mi_qn4155/is_20071109/ai_n21104858

This guy definitely gets the award for the stupidest web marketer of the year! Think I’ll shoot him and Alwyn an e-mail and let them know what I think about them giving out my personal information to the general public. Since they were so free with my info, I don’t have a problem sharing their info — I got Alwyn’s e-mail address from a posting on the ca website Alewis1@searshc.com — I would guess that Jim’s e-mail address is Jhilt00@searshc.com or jhilt01@searshc.com.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...