Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, is on Sears' privacy case again.
This time, Edelman, tells you how to find another person's purchase history via Sears' "Manage My Home" site.
If you recall, Edelman highlighted how Sears was using ComScore's software to track your online browsing and violate Federal Trade Commission privacy standards.
It gets worse. Create any account, type in the address and phone number of someone you know and find out what they purchased. Nice huh?
Edelman has the walkthrough with screen shots. I verified that Sears is clueless on privacy. With a few clicks I found out my mother in law bought a vacuum cleaner in 1999 from Sears. I could go through my whole neighborhood for giggles.
And just in case you wanted my neighbor's purchase history here it is:
Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history by entering that person's else's name, phone number, and address.
To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address -- all information available in any White Pages phone book.
Edelman also assesses the IT strategy at Sears and wonders how this privacy hiccup could happen. I can answer that one. Take one bankrupt company (Kmart) that has
scrimped on mismanaged IT for years including a supply chain overhaul that failed miserably. Take another company that had an IT strategy (Sears). Slap them together in a merger. Toss out all the management that used to have an IT clue (the Sears folks and CSC). And now milk costs. Have a hedge fund manager--Edward Lampert--preside over the company. And poof you have a retailer--that to Lampert was really acquired for the real estate--that still operates on green screens (I was there a few days ago).
It's pure IT magic--and privacy hell.
Update: As a few talkbackers have noted below, Sears has removed this feature after the latest privacy flap. It's a shame it takes a little bad Web publicity to get the company to honor a little privacy.