Sears Exposes Customers' Purchase Information
Monday, January 07, 2008
A prior post explained the data privacy problems at the Sears.com and Kmart.com sites. In his blog, Harvard Business School professor Ben Edelman documented customer purchase information is exposed by the Sears "Manage My Home" community portal.
There are smart ways to create a community portal for customers. This is not one. Not even close.
It is a particularly bad implementation because it makes it easy for scammers to abuse Sears consumers. And, it makes it easy for thieves to case homes online to decide which homes have the most valuable items to steal. How? Thieves can get a consumer's name, phone number, and address from any online (or print) telephone white page directory.
Also, the ComputerWorld publication reported:
"US retail giant Sears Holdings has taken part of its Managemyhome.com Web site offline following revelations that the site was making customers' purchasing histories publicly available. Sears disabled the site's "Find your products" section on Friday following criticism from privacy advocates, who said that fraudsters could use information provided by the site to scam Sears customers."
Want to learn more? Read about Sears spyware and poor consumer disclosures.
FYI... I received the following reply from Sears:
From: [email protected]
To: Mailing list spyware :;
Subject: Sears SHC community
Date: Wed, 09 Jan 2008 15:56:19 -0600
Please include the following line in all replies.
Tracking number: UT20080109_0000001021
Dear Customer,
We appreciate your feedback concerning the various news stories that have been published over the last week mentioning Sears Holdings and possible violations of customers’ privacy.
First, it has been claimed that myshccommunity.com was using spyware to obtain your information without your knowledge. We wanted you to know that not only are these allegations false, Sears has taken a number of steps to protect your privacy and wants to assure you that all information you may have shared with us remains confidential and safe.
Members joining My SHC Community through the website link or general email are not tracked. You can only become a tracked member of the My SHC Community if, as you are signing up to join, you receive an invitation from us to install the software. These invitations are generated randomly and, by design, only a small percentage of the Community has been invited to participate. Users are free to decline to participate in the tracking functionality and still be a member of the Community.
Second, it was reported that it is possible for users to obtain information about other customers concerning the type of appliances customers purchased, the brand of the appliance and if the customer maintained a protection agreement on the product when registered on www.managemyhome.com .
We wanted you to know that we take our customers' privacy concerns very seriously. As a result, we have turned off the ability to view a customer’s purchase history on managemyhome.com until we can implement a validation process that will restrict access by unauthorized users.
The purchase history functionality was added to provide you with easy access to useful information about products you might have purchased from Sears. Customers told us that it was a helpful feature for working with the other tools and information available on the site.
We can’t stress strongly enough how committed Sears Holdings is to protecting our customers’ privacy.
Kevin L.
Manager
Sears Holdings Corporation
Posted by: George | Thursday, January 10, 2008 at 11:57 AM