Careers & Certifications

09:51 PM
Connect Directly

Privacy Breach Lawsuit Against Sears Is Ridiculous

A $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm. Last week, privacy researcher Ben Edelman wrote about, a Sears Web site that lets customers track purchases and product warranties. He noticed that once you created an account, the site displayed results for any name, address, or phone number that matched a customer record -- whether it belonged to an account-holder or not. It's a textbook example of poor Web application security, and Sears should have known better.

However, the information revealed is relatively harmless: products, model numbers, purchase dates, and warranty information. It doesn't reveal credit card information or other sensitive data.

That hasn't stopped the firm KamberEdelson from filing a class-action compliant for $5 million against Sears. It's hard not to laugh as you read the compliant (PDF). Here's the terrible harm that plaintiffs may have suffered: "??? a nosy person can find out how much his neighbor spent on a new washing machine or lawnmower."

The claim goes on to cobble together other scenarios (with zero evidence that any of them occurred). For instance, marketers might mine the site to send advertisements to Sears customers -- as if Sears isn't already selling that information to business partners and affiliates.

It also invokes insidious hackers, who might access the data to pretend to be from Sears and then trick people into giving up credit card or Social Security numbers.

Drew is formerly editor of Network Computing and currently director of content and community for Interop. View Full Bio
1 of 2
Comment  | 
Print  | 
More Insights
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Twitter Feed