Play the Sears privacy game (and get your neighbor's purchase history)

Summary:Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, is on Sears' privacy case again.This time, Edelman, tells you how to find another person's purchase history via Sears' "Manage My Home" site.

Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, is on Sears' privacy case again.

This time, Edelman, tells you how to find another person's purchase history via Sears' "Manage My Home" site.

sears1.png
If you recall, Edelman highlighted how Sears was using ComScore's software to track your online browsing and violate Federal Trade Commission privacy standards.

It gets worse. Create any account, type in the address and phone number of someone you know and find out what they purchased. Nice huh?

Edelman has the walkthrough with screen shots. I verified that Sears is clueless on privacy. With a few clicks I found out my mother in law bought a vacuum cleaner in 1999 from Sears. I could go through my whole neighborhood for giggles.

And just in case you wanted my neighbor's purchase history here it is:

searsa.png

Edelman writes:

Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history by entering that person's else's name, phone number, and address.

To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address -- all information available in any White Pages phone book.

Edelman also assesses the IT strategy at Sears and wonders how this privacy hiccup could happen. I can answer that one. Take one bankrupt company (Kmart) that has scrimped on mismanaged IT for years including a supply chain overhaul that failed miserably. Take another company that had an IT strategy (Sears). Slap them together in a merger. Toss out all the management that used to have an IT clue (the Sears folks and CSC). And now milk costs. Have a hedge fund manager--Edward Lampert--preside over the company. And poof you have a retailer--that to Lampert was really acquired for the real estate--that still operates on green screens (I was there a few days ago).

It's pure IT magic--and privacy hell.

Update: As a few talkbackers have noted below, Sears has removed this feature after the latest privacy flap. It's a shame it takes a little bad Web publicity to get the company to honor a little privacy.

Topics: CXO, Telcos

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.