The Sears move came hours after Harvard Business School Assistant Professor Benjamin Edelman published details on how consumers using Sears' ManageMyHome site could find detailed purchase histories about other Sears shoppers merely by typing in their name, phone number and street address into the site. (Related story: analyzing a lawsuit filed against Sears for its latest data breach.)
"Sears offers no security whatsoever to prevent a ManageMyHome user from retrieving another person's purchase history," Edelman wrote on his blog. "To verify a user's identity, Sears could require information known only to the customer who actually made the prior purchase. For example, Sears could require a code printed on the customer's receipt, a loyalty card number, the date of purchase, or a portion of the user's credit card number. But Sears does nothing of the kind. Instead, Sears only requests name, phone number, and address, which is all information available in any White Pages phone book."
Edelman posted several examples, referencing incidents from Washington, D.C., the town of Brookline, Massachusetts and Lincoln, Mass..
Sears was E-mailing a statement late Friday that because of these privacy concerns, "we have turned off the ability to view a customer's purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties."