Sears is having a bit of a rough day with the privacy community. The company got off to a rocky start with revelations that many customers who gave Sears their personal details after shopping at the company’s Web site also were giving away their online Web browsing habits to marketers, thanks to snooping software silently installed (and ill-documented) by a Sears marketing partner.
Now, it appears the company’s Web site may also be making those shopping habits publicly searchable, at least as they relate to products purchased in Sears stores and/or via its Web site.
The discovery comes from Ben Edelman, an assistant professor at the Harvard Business School and a privacy expert whose research has done much to raise public awareness about the intersection of big business and shady advertising practices.
Sears offers no security whatsoever to prevent any user from retrieving a third party’s purchase history, Edelman said, which violates its own privacy policy with such disclosures, no part of which “grants Sears the right to share users’ purchases with the general public.”
“Sears could request information known only to the customer who actually made the prior purchase,” such as a code printed on the customer’s receipt or the date of purchase, Edelman said. “But Sears does nothing of the kind. Sears only requests name, phone number, and address — all information available in any White Pages phone book.”
To find the purchase history of a shopper at Sears, all one needs to do is create an account at Sears’s “managemyhome.com” site, a Web property advertised prominently on Sears.com.
After creating the new account, from the “Home” menu, choose “Home Profile.” In the “Search Purchase History” section, press the “Find Your Products” button. You’ll be prompted to enter the name, address and phone number of the person whose purchases you wish to view. Then select “Find Products.”
If that person has been a Sears shopper, the site will likely display all purchases in its database associated with the specific person, Edelman found. This screenshot shows one such example, which turned up the purchases that his parents’ neighbors in Washington, D.C., made going back nearly a decade (their name and address has been blacked out of the screenshot).
It’s not yet clear whether the purchase data available on the site includes records of items bought both in Sears retail stores and at Sears.com. Edelman said he believes the ManageMyHome site substantially presents in-store purchase data, but that online purchase data probably also is available as well.
“I have searched for the accounts of several folks who definitely do their purchases in stores, not online,” Edelman said in an e-mail to Security Fix. “Their purchase histories come through just as expected.”
A Sears spokesperson did not immediately return calls seeking comment. I will update this blog entry in the event that I hear back from Sears.
If you found purchases that you or someone you know made at Sears.com by using the above-described method, please leave a note in the comment section below.
On Top Of Spying On Its Users, Sears Reveals Your Shopping Data To Anyone Who Wants ItSears Exposes Customer Purchase History in Violation of Its Privacy PolicyThat Didn’t Take Long At All: Sears Sued For Data BreachClass Action Suit Alleges Sears Privacy FailuresSears Online ‘Community’ Still Looks More Like Spyware Than A Community