• by Wendy Davis  @wendyndavis, January 7, 2008

Sears Roebuck was caught in a major online privacy breach late last week, just days after news surfaced that it was distributing spyware on behalf of comScore.

Researcher Ben Edelman, an assistant professor at Harvard Business School, reported Friday that Sears was making public the entire purchase history of users who had registered at the Manage My Home portal, which offers users information about remodeling and repairs.

Friday afternoon, Sears disabled the feature--which had allowed users to look up information about prior purchases based on the buyer's name, phone number or street address. "We take our customers' privacy concerns very seriously," a Sears spokesperson said in an e-mail to OnlineMediaDaily. "As a result, we have turned off the ability to view a customer's purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties."

Although the feature is no longer functional, Sears is still facing fallout. New Jersey resident Christine Desantis late last week brought a putative class-action lawsuit in Cook County, Ill. charging that the retail giant violated its privacy policy, which generally promises not to disclose people's purchases to others. The lawsuit seeks up to $5 million in damage for the class.

Desantis--who made 10 purchases in the last eight years, including a refrigerator, washing machine and air conditioner--alleges that that the glitch makes her and other Manage My Home users vulnerable to identity theft. "Hackers," she argues, "can use the information they have obtained from Sears's website to gain trust over the unsuspecting victim and obtain access to a person's credit information, social security numbers or even a person's house."

For Sears, the incident is second major privacy-related embarrassment in one week. Edelman also reported last week that Sears.com was installing tracking software for comScore. He charged that consumers were not given adequate notice that the software would keep track of all of their online activity.

Ari Schwartz, deputy director of the digital rights policy group Center for Democracy & Technology, said the Manage My Home glitch demonstrates that Sears isn't doing enough to protect people's information. "It shows a lack of respect for privacy from this company," he said, adding that Sears is probably not alone in not thinking through the privacy implications of its Web features.

The Manage My Home snafu isn't the only recent privacy debacle. In November, social networking site Facebook launched the controversial Beacon program, which tells members about their friends' online purchases. At launch, people could opt-out of sharing purchase information, but if they didn't, Facebook shared it by default. After weeks of complaints that the program violated members' privacy, Facebook revamped it to require members' affirmative consent.

Schwartz said the Center for Democracy & Technology is concerned that many consumers are not aware of privacy policies--or how much information about them is even stored--until situations like Manage My Home or Facebook's Beacon program draw attention to the issue. "When they're made aware of it," he said, "they don't like it."