Privacy Breach Lawsuit Against Sears Is Ridiculous

Posted by Andrew Conry Murray
January 07, 2008

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm. Last week, privacy researcher Ben Edelman wrote about managemyhome.com, a Sears Web site that lets customers track purchases and product warranties. He noticed that once you created an account, the site displayed results for any name, address, or phone number that matched a customer record -- whether it belonged to an account-holder or not. It's a textbook example of poor Web application security, and Sears should have known better.

However, the information revealed is relatively harmless: products, model numbers, purchase dates, and warranty information. It doesn't reveal credit card information or other sensitive data.

That hasn't stopped the firm KamberEdelson from filing a class-action compliant for $5 million against Sears. It's hard not to laugh as you read the compliant (PDF). Here's the terrible harm that plaintiffs may have suffered: "??? a nosy person can find out how much his neighbor spent on a new washing machine or lawnmower."

The claim goes on to cobble together other scenarios (with zero evidence that any of them occurred). For instance, marketers might mine the site to send advertisements to Sears customers -- as if Sears isn't already selling that information to business partners and affiliates.

It also invokes insidious hackers, who might access the data to pretend to be from Sears and then trick people into giving up credit card or Social Security numbers.

Related Reading

More Insights