Privacy Breach Lawsuit Against Sears Is Ridiculous

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm. Last week, privacy researcher Ben Edelman wrote about managemyhome.com, a Sears Web site that lets customers track purchases and product warranties. He noticed that once you created an account, the site displayed results for any name, address, or phone number that matched a customer record -- whether it belonged to an account-holder or not. It's a textbook example of poor Web application security, and Sears should have known better.

However, the information revealed is relatively harmless: products, model numbers, purchase dates, and warranty information. It doesn't reveal credit card information or other sensitive data.

That hasn't stopped the firm KamberEdelson from filing a class-action compliant for $5 million against Sears. It's hard not to laugh as you read the compliant (PDF). Here's the terrible harm that plaintiffs may have suffered: "??? a nosy person can find out how much his neighbor spent on a new washing machine or lawnmower."

The claim goes on to cobble together other scenarios (with zero evidence that any of them occurred). For instance, marketers might mine the site to send advertisements to Sears customers -- as if Sears isn't already selling that information to business partners and affiliates.

It also invokes insidious hackers, who might access the data to pretend to be from Sears and then trick people into giving up credit card or Social Security numbers.While conceivable, this scheme strikes me as unlikely. Fraudsters would have to start blind, by randomly entering names and addresses from the phone book one by one and hoping to find matches. It's a time-intensive, low-margin scam, particularly when bundles of stolen credit card numbers are available all over the Internet. And would you really give your Social Security number to the Maytag man?

The last thing the privacy movement needs is a flood of frivolous lawsuits that capitalize on reasonable fears that corporations are putting our sensitive data at risk. This lawsuit smacks of naked opportunism, and it ticks me off as much as Sears' dumb mistake.