Sears Site Upgrade Inadvertently Bans All Who Don’t Accept Cookies

Written by Evan Schuman
September 12th, 2010

When Sears upgraded its E-Commerce site’s infrastructure in late August, it inadvertently blocked all visitors who don’t accept cookies, a move that the $44 billion chain is now attempting to fix.

Although both industry and Sears sources estimate that only 1.2 to 3 percent of U.S. shoppers block cookies these days, it could still prevent almost 5 million U.S. shoppers from giving any of their e-dollars to Sears. And it’s another reminder of the unintended consequences of Web and mobile site infrastructure changes.

“This seems to be a recurring problem with any major site changes. You just never know the consequences until you roll it out and hold your breath to see what happens.” said Forrester Research E-Commerce Analyst Sucharita Mulpuru.

That’s a lesson Sears already learned (or should have learned) last August, when a deal with offsite cache vendor Akamai inadvertently allowed some devious site visitors to change the Web pages for other visitors. Those changes made Sears’ pages to appear to be selling baby-cooking devices.

The latest problem apparently kicked in on August 19, when Sears changed its Web pages to allow for more customization, according to Web traffic tracking firm Pingdom. Only after launch was it discovered that the changes actually blocked customers whose browsers happen to block cookies.

Cookie-blocking has steadily dropped in popularity in recent years, making this less of an issue. But many consumers are not even aware of what their settings are, either accepting the default software settings or letting it stay where it was set when installed (perhaps by someone else).

How many consumers will likely be impacted? Forrester Researcher projects that about 160 million Americans will shop online this year. Given the range of 1.2 to 3 percent, that adds up to between 1.9 million and 4.8 million U.S. shoppers who will have a new Sears tagline: “Sears, Where America Shops, Except The 4.8 Million Of You That Block Cookies.”

Forrester Research VP/Principal Analyst Sucharita Mulpuru, who specializes in E-Commerce, said what caught her off-guard was how one of the nation’s oldest and largest retail chains learned of the situation.


5 Comments | Read Sears Site Upgrade Inadvertently Bans All Who Don’t Accept Cookies

  1. Keith Says:

    It would have never crossed my mind either. Not until people started complaining I guess. People still block cookies?
    K Bishop

  2. A Reader Says:

    Blocking cookies is very rare among non-techies. And any techie who does block them deals with warnings like these all the time from various sites, so they’re hardly disenfranchised. They’re barely inconvenienced.

    This “news” is pretty much a non-event, except to show that system readiness testing has to encompass a much broader range of scenarios than most web admins wants to imagine.

  3. Evan Schuman Says:

    It depends on what you define as rare, with figures ranging from 1.2 percent to as much as 3 percent, in the U.S. So, yes, from a statistical perspective, 97 percent to almost 99 percent will not be impacted, as the story clearly said. But 1.2 percent to 3 percent of all U.S.l shoppers is still a heck of a lot of people. Privacy concerns are pushing a lot more consumers to boost the privacy restrictions on their browsers and firewalls, without necessarily understanding the implications. Don’t be so certain that it’s as rare as you think.

  4. Robin Says:

    I block most cookies and use the pop-up feature to indicate when a site tries to send me a cookie. I will normally accept 2 cookies from a site. (I wish there was a setting for this) but when I go to a site that tries to put 72 cookies on my site, it gets totally blocked. Same with a site that tries to install 10 cookies when the page opens.

    My kids get taught about cookies and tracking. My wife gets upset with the information that some sites try to gather.

    Don’t forget flash cookies and the latest, the evercookie.

  5. Distruptable Says:

    using firefox I have Noscript, PRequestPolicy, AdBlocker, BetterPrivacy plugins which aid in telling me several things:
    A) Where a site attempts to gather ad data from
    B) what other sites are being pointed to within a page
    C) Allows me to stop all downloading and contacting of those sites unless explicitly temporarily enabling them to contact me.

    When I land on a site with more than 10 Advertizing domains in its frontpage I tend to not stay there very long.
    When a site has only itself as a domain and useful information then I do tend to stay to find out what the site has to say since it is not making money by my being there.

    Websites you need to get with the grips that Cookies are a security risk.
    Cookies have been dangerous since 1995 and beyond and we all know why we clear our cookies and clean up that 20gb of “stored” data from surfing the web on our computers.
    Those who are smart do the best they can to prevent themselves being targets of dangerous, malicious, or unscrupulous privacy invasions.

    However we cant train everyone to be security conscious and we cant have everyone always being Ultra-paranoid secure. If we did then whats the point of having the internet because the only security from the internet is to be disconnected from it.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.