On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants It

from the well,-that's-useful dept

Weren't we just discussing the idea of criminal liability for egregious security problems with data? And... weren't we also just discussing Sears' offering to install spyware on your computer without much notice and all in the name of community? Well, let's combine those two stories. Ben Edelman has been doing some more digging on the Sears website and discovered a rather massive security hole allowing you to look up the purchases at Sears of just about anyone so long as you know their name, address and telephone number. As Edelman notes, this appears to be in direct violation of Sears' own privacy policy (and, well, common sense, but that's a different story...). So, now, Sears.com is spying on users without making it all that clear and revealing all customer purchase data with poorly implemented security. It's not a particularly comforting picture.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ben edelman, privacy, security, shopping data
Companies: sears

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    web user, 4 Jan 2008 @ 10:41am

    first discovered issue

    For the record, "Heather" first uncovered this issue by posting a comment to the original Sears discovery here:
    http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get- spyware.aspx

    and then later followed up here:
    http://community.ca.com/blogs/securityadvisor/archive/2008/01/03/managemyhome-com-another-privacy- issue-for-sears.aspx

    "Heather said:
    OMG! Check out a sears site managemyhome.com. Once you register you can look up purchase information for ANYONE by just putting in their name address and phone number. Sears has you enter a code and says that keeps you info safe, but that is pretty useless -- I think that just prevents a script from being created, but DOES NOT stop people from entering in any eles info to get the purchase info on big ticket items -- this could bring casing someone's house to a whole new level!!

    I contacted the privace e-mail that the site provided, but no one ever responded. Anyone with any ideas about how to get this service off the web, I would be open to suggestions."

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.