Sears sued over privacy breach

Sears Holdings is facing a class-action lawsuit after making the purchase history of its customers public on its website.


Sears Holdings is facing a class-action lawsuit after making the purchase history of its customers public on its website.

The lawsuit seeks damages as well as an accounting by Sears to determine whether the website was misused by criminals. It was filed on Friday by New Jersey resident Christine Desantis, who is represented by KamberEdelson, a technology law firm. KamberEdelson is best known for its recent settlement with social networking site Facebook over its sending of unwanted text messages to recycled cell-phone numbers.

"It's a pretty simple case," said Jay Edelson, a partner with the Chicago-based law firm. "Sears decided to put private information of its customers up on the website and make it publicly available. They did it without telling their customers that it was going to happen... and they really did it for their own financial reasons."

Manage My Home is a community portal where Sears shoppers can download product manuals, find product tips and get home renovation ideas. The website had a feature called "Find your products" that ostensibly was designed to help users look up past purchases.

Last Thursday, researchers at security vendor CA pointed out that the feature could be used to look up the purchase history of any Sears customer, an apparent violation of the company's privacy policy.

Manage My Home could easily have been misused by criminals, Edelson said. For example, a robber could gain access to a victim's home by posing as a Sears repair person, using the information available on the site. That could be incredibly scary, he said. "They have a duty to keep that information away from the public."

Sears disabled the "Find your products" feature on Friday, saying it would reintroduce the feature once the company figures out a way of ensuring that the information cannot be viewed by unauthorised third parties.

However, the retailer was informed of the problem weeks before it took the feature off-line, Edelson said.

In late December, CA researchers also criticised Sears for downloading invasive comScore Web tracking software onto the desktops of some members of its website without adequate disclosure.

KamberEdelson is also investigating that matter, Edelson said.

"Recommended For You"

Zendesk says breach compromised email addresses Google spots unauthorised French government registered certificates