Managemyhome.com: Another privacy issue for Sears

Jan 03 2008

Stefan Berteau

http://community.ca.com/blogs/securityadvisor/archive/2008/01/03/managemyhome-com-another-privacy-issue-for-sears.aspx



"Hey Dad, did you guys by any chance buy a new sewing machine from Sears on September 30th?"

"We did.  How did you know that?"

"I just found it listed on a Sears web site.  It looks like they have another privacy problem."

We were informed about managemyhome.com by Heather, who left the following comment on Benjamin Googins' last blog entry:

OMG.  It gets worse!  check out a sears site managemyhome.com.  Once you register, you can look up major purchases for ANY address.  All you need to do is enter a name address and phone number and if the person attached to that info has made a major purchase at sears you get that info!!  They have no real controls in place -- you have to enter an onscreen code and they say that keeps your info safe, but that does not stop someone from entering other people's contact info to see their product purchases.  This brings casing someone's house to a whole new level.

I contacted the compliance e-mail listed on the site, and never got a response, which confirms that Sears does not care about the customer or customer privacy.  If anyone has any ideas about how to get in contact with someone over there that might care about customer privacy, I'd welcome the ideas.  That service should really be off the site.

What do you have to say to that Rob?

I checked this out, and sure enough, in about 2 minutes I was looking at every purchase my parents had made since 1989.  What's worse, I had used no more info than is publicly listed in the phone book: their name, address, and telephone number.  Once you have an account at http://www.managemyhome.com/ and have logged in, select the first option (Home Profile) from the "Home" pull-down menu on the main page.  In the upper right corner of the page, you should see a "Sears Purchase History", with a button

labeled "Find my Products". 

This was obviously introduced to let me look at my own purchase history, but unfortunately the only information they asked for when I followed that button was a name, phone number, and address.  To test this out, I put in my parents' information-I want to stress that this is the exact same info listed under their name in the phone book-and was rewarded with a list of their major Sears purchases running back almost two decades to when they first moved in to that house.

With their consent we have tested this technique with other individuals and have received reliable results every time. If they'd had major dealings with Sears, that information is now available to the public, from a television bought in 1978 to a stove which was purchased elsewhere but had been repaired by a Sears technician.

Heather's original comment was right...among numerous other potentially invasive or harmful uses for this information, a potential burglar or scam artist could quite easily sit at home with a  phonebook, checking to see what people in a given neighborhood had purchased, complete with date of purchase, make, model, and warranty information, everything they'd need to bluff their way through picking it up for a "recall".

Customers have not consented to the release of this information online.  While Sears is attempting to provide it to the original purchasers as a convenience, the poor security measures which were put in place allow literally anyone with an internet connection to look at my purchase history.  This is a real and immediate threat to their customer's privacy, and it needs to be addressed.


main page ATTRITION feedback