Featured Research

Advertisers Using WhenU

WhenU Violates Own Privacy Policy

WhenU Spams Google, Breaks "No Cloaking" Rules

Documentation of Gator Advertisements and Targeting

"Spyware": Research, Testing, Legislation, and Suits

Sears Exposes Customer Purchase History in Violation of Its Privacy Policy

January 4, 2008


Want to know what a given customer has purchased from Sears? It's surprisingly easy to find out. Here's the procedure:

1) Go to the Sears "Manage My Home" site, www.managemyhome.com . Create an account and sign in. Screenshot.

2) On the Home menu, choose Home Profile. In the Search Purchase History section, choose Find Your Products. Screenshot.

3) Enter the name, phone number, and street address of the customer whose purchases you wish to view. Press Find Products. Screenshot.

Sears then displays all purchases its database associates with the specific customer -- typically major appliances and other large purchases. See examples from Washington, DC, Brookline, Massachusetts, and Lincoln, Massachusetts.

The look-up form. Full form requires first name, last name, phone number, and address, but nothing more.
    
The purchase listing.  Typically provides specific product, purchase date, warranty, and manuals.
The information required to retrieve a customer's purchase history   A customer's purchase history - showing specific items and purchase dates

 

Sears Fails to Protect Customer Information

Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history by entering that person's name, phone number, and address.

To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address -- all information available in any White Pages phone book.

Neither does Sears even include any special instructions or obligations in its signup agreement with users: The ManageMyHome Terms of Use say nothing about what information users may access. Indeed, while Sears includes a small-type link to its Terms of Use, Sears never asks users to affirmatively accept the Terms.

 

These Disclosures Are Contrary to Sears's Explicit Promises

Sears violates its privacy policy when it discloses users' purchases to the general public. The Sears Customer Information Privacy Policy lists specific circumstances in which Sears may share customer information. These circumstances are relatively broad -- allowing Sears to share customer data "with members of the Sears family of businesses ... to provide ... promotional offers that we believe will be of interest." Disclosures are also permitted "to provide [users] with products or services that [they] have requested," to "trusted service providers that need access to your information to provide operational or other support services," to credit bureaus, and to regulatory authorities and law enforcement. But none of these provisions grants Sears the right to share users' purchases with the general public.

Sears may argue that its web site privacy policy only applies to users' online purchases, and does not govern purchases made in retail stores. Perhaps. But I doubt in-store customers expect their friends, neighbors, and the general public to be able to find out what they bought. I'm still trying to determine what privacy (if any) Sears promises its in-store customers.

 

Sears's Privacy Breach in Context

Sears's exposure of customer purchase history fits within a long history of unintended web site disclosures. For example, in October 2000 I showed that Buy.com's return system was revealing customer names, addresses, and phone numbers at publicly-available URLs. But Sears's disclosure is more troubling: Sears discloses the specific products users purchased. Sears's disclosures apply to all users, not just those who return products. And Sears's disclosures come some 7+ years after Buy.com's breach -- a period of great advance in online security.

The combination of data Sears provides could open the door to serious harms to Sears customers. ManageMyHome reports the specific products customers purchased, as well as the dates of each such purchase. With this information, a miscreant could approach a customer and pretend to be a Sears representative. Consider: "Your washing machine was recalled, and I need to install a new motor." Or, "I'm here to provide the free one-year check-up on your dishwasher."

 

Assessing Sears's IT Strategy

The ManageMyHome site offers some useful services: Consolidated information about dates of purchase, clear listing of warranty status, and easy links to product manuals. Sears touted these benefits in its recent coverage of ManageMyHome.

But as soon as Sears resolved to provide online access to customers' purchase histories, Sears staff should have recognized the need to determine which users are truly authorized to see this information. Sears's failure to effecitvely authenticate users is therefore puzzling. Did Sears staff fail to notice the problem? Decide to ignore it when they couldn't devise an easy solution to protect users' purchase histories? Resolve to argue that purchase history merits no better protection than the current system provides?

Combining this privacy breach with Sears's poorly-disclosed installation of ComScore tracking software, it appears that Sears is not effectively protecting its users' and customers' privacy. Perhaps that's no surprise in light of Sears's recent financial distress -- a 99% drop in profits in third quarter 2007, compared with the third quarter of 2006. But users need not accept excuses for Sears's lackadaisical treatment of their private information. No matter the company's financial standing, Sears ought to comply with its stated privacy policy and treat user information with the care users rightly expect.

 

Sears's Response

I wrote to Sears ManageMyHome via the addresses on their Contact Us page. To their credit, they responded quickly (less than ninety minutes). However, their reply does not address the seriousness of this situation. Their reply follows:

"We appreciate that you have a security concern. Thank you for taking the time to share your comments with us. We appreciate hearing feedback from our customers, and will pass this information to the appropriate area to research."

Update (January 4, 5pm): Sears has disabled the search feature described above. Attempts to retrieve a purchase history now yield the message "We're sorry, this feature is currently disabled."

 

Thanks to an anonymous contributor, using pseudonym Heather H, for the tip that led to this article.