Play the Sears privacy game (and get your neighbor's purchase history)

Play the Sears privacy game (and get your neighbor's purchase history)

Summary: Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, is on Sears' privacy case again.This time, Edelman, tells you how to find another person's purchase history via Sears' "Manage My Home" site.

SHARE:
TOPICS: CXO, Telcos
12

Ben Edelman, an assistant professor at the Harvard Business School and noted anti-spyware researcher, is on Sears' privacy case again.

This time, Edelman, tells you how to find another person's purchase history via Sears' "Manage My Home" site.

sears1.pngIf you recall, Edelman highlighted how Sears was using ComScore's software to track your online browsing and violate Federal Trade Commission privacy standards.

It gets worse. Create any account, type in the address and phone number of someone you know and find out what they purchased. Nice huh?

Edelman has the walkthrough with screen shots. I verified that Sears is clueless on privacy. With a few clicks I found out my mother in law bought a vacuum cleaner in 1999 from Sears. I could go through my whole neighborhood for giggles.

And just in case you wanted my neighbor's purchase history here it is:

searsa.png

Edelman writes:

Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history by entering that person's else's name, phone number, and address.

To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address -- all information available in any White Pages phone book.

Edelman also assesses the IT strategy at Sears and wonders how this privacy hiccup could happen. I can answer that one. Take one bankrupt company (Kmart) that has scrimped on mismanaged IT for years including a supply chain overhaul that failed miserably. Take another company that had an IT strategy (Sears). Slap them together in a merger. Toss out all the management that used to have an IT clue (the Sears folks and CSC). And now milk costs. Have a hedge fund manager--Edward Lampert--preside over the company. And poof you have a retailer--that to Lampert was really acquired for the real estate--that still operates on green screens (I was there a few days ago).

It's pure IT magic--and privacy hell.

Update: As a few talkbackers have noted below, Sears has removed this feature after the latest privacy flap. It's a shame it takes a little bad Web publicity to get the company to honor a little privacy.

Topics: CXO, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Well Kmart never scrimped on IT...

    They bought way more than they ever needed, the only scrimping I saw was on their new data center, with in 6 months they had to power down so the electric company could add more power.
    mrOSX
    • Good point

      They didn't scrimp until they hit the skids and had too. I'll change to mismanaged
      Larry Dignan
  • If Edelman can not understand how this happened

    then his thinking is too small scale. He must remember that many a time mergers and other grand ideas that are born of the truelly higher ups underestimate the complexity or problems of actually implimenting that which they have signed off on and must now deliver to their stockholders.

    For all we know, they may have presented suggestions that were quite secure but would take more time, and told to instead just come up with something in some short amount of time, or else.

    Maybe this was the best they could put together during their lunch hour.
    GuidingLight
    • BTW

      [i]These Disclosures Are Contrary to Sears's Explicit Promises[/i]

      I think he is reaching with that one, to tell the truth

      Note: Not defending Sears in anyway, heck, MY purchases can be open for all to see: Nothing like letting eveyone see the contents of my workshop! Maybe if I buy an alarm, when it shows up on the list, that will be enough to scare off any theives
      GuidingLight
  • RE: Play the Sears privacy game (and get your neighbor's purchase history)

    I have to take exception with this statement to.
    Toss out all the management that used to have an IT clue (the Sears folks and CSC).

    Seeing as Sears and Kmart did not merge till way after 1999.

    "found out my mother in law bought a vacuum cleaner in 1999 from Sears."
    mrOSX
    • I think you misunderstand the issue

      The information of her purchases from 1999 (and probally much earlier) were allways sitting on a server someplace at Sears. The fact that the new IT staff [i]allowed[/i] that information to be seen come 2007 has nothing to do with when the merger happened
      GuidingLight
  • The race is on!

    Now it's a race to see who can finish first ... can Sears fix their site's security before data farmers can create scripts to extract the buying history of every name/address/phone number in the telephone directory?

    Personally, I put my money on the data farmers. I would be surprised if they weren't already running such scripts so that they can sell the contact list information.
    ac2_z
    • You left out the lawyers

      racing to make this a money making class action or per user suit. Oops Sears.
      Boot_Agnostic
  • RE: Play the Sears privacy game (and get your neighbor's purchase history)

    looks like they've taken it down. The link was gone, so I went direct to the URL. I filled out the form, and I got: "We're sorry, this feature is currently disabled. Please visit again soon."
    JColgan
    • RE: Website down

      I can't even get the website to come up.. I figured someone got smart and pulled the plug.
      Qlueless
  • I Looked Up No_Axe's Information Before They Took It Down

    His past purchases:

    Apple IPod Classic
    Sony Playstation 3
    How To Rip MP3s Legally
    Windows To Linux easy migration guide

    Shame on you!
    itanalyst
  • RE: Play the Sears privacy game (and get your neighbor's purchase history)

    Interested in a calss action. Someone has already filed:

    http://blog.washingtonpost.com/securityfix/2008/01/class_action_suit_alleges_sear.html
    cometogether73223