Sears Closes Part of Site, Concedes Purchases Revealed
The retailer shuts down its Manage My Home site after a blogger shows the site was revealing customer information.On the heels of admitting that it was using spyware on one of its e-commerce sites, Sears officials said Jan. 4 they were temporarily shutting down part of another Sears e-commerce site after discovering that it allowed consumers to see explicit details about the purchases of other customers. The Sears move came hours after Harvard Business School Assistant Professor Benjamin Edelman published details on how consumers using Sears' Manage My Home site could find detailed purchase histories about other Sears shoppers merely by typing in their name, phone number and street address into the site.
"Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history," Edelman wrote on his blog. "To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address, which is all information available in any White Pages phone book."