Sears Shuts Down Part Of Site, Concedes It Was Revealing Purchases
Written by Evan SchumanOn the heels of admitting this week that it was using spyware on one of its E-Commerce sites, Sears on Friday said that it was temporarily shutting down part of another Sears E-Commerce site after admitting that it allowed consumers to see explicit details about the purchases of other consumers.
The Sears move came hours after Harvard Business School Assistant Professor Benjamin Edelman published details on how consumers using Sears’ ManageMyHome site could find detailed purchase histories about other Sears shoppers merely by typing in their name, phone number and street address into the site. (Related story: analyzing a lawsuit filed against Sears for its latest data breach.)
"Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person’s purchase history," Edelman wrote on his blog. "To verify a user’s identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer’s receipt, a loyalty card number, the date of purchase, or a portion of the user’s credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address, which is all information available in any White Pages phone book."
Edelman posted several examples, referencing incidents from Washington, D.C., the town of Brookline, Massachusetts and Lincoln, Mass..
Sears was E-mailing a statement late Friday that because of these privacy concerns, "we have turned off the ability to view a customer’s purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties."
-Marc
January 5th, 2008 at 5:14 pm
Gee, that makes me feel good.Is it legal for these big companies to misuse our data like this?I will never go back to Sears again.