On the heels of admitting that it was using spyware on one of its e-commerce sites, Sears officials said Jan. 4 they were temporarily shutting down part of another Sears e-commerce site after discovering that it allowed consumers to see explicit details about the purchases of other customers.
The Sears move came hours after Harvard Business School Assistant Professor Benjamin Edelman published details on how consumers using Sears’ Manage My Home site could find detailed purchase histories about other Sears shoppers merely by typing in their name, phone number and street address into the site.
“Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person’s purchase history,” Edelman wrote on his blog. “To verify a user’s identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer’s receipt, a loyalty card number, the date of purchase, or a portion of the user’s credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address, which is all information available in any White Pages phone book.”
Edelman posted several examples, referencing incidents from Washington, the town of Brookline, Mass. and Lincoln, Mass.
Sears said in a statement that, because of these privacy concerns, “we have turned off the ability to view a customer’s purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties.”
Retail Center Editor Evan Schuman can be reached at [email protected].
Check out eWEEK.com’s Retail Center for the latest news, views and analysis on technology’s impact on retail.