That Didn't Take Long At All: Sears Sued For Data Breach

from the $5-million,-please dept

Well that didn't take very long at all. Late last week, it was revealed that Sears.com was revealing past purchases to anyone who knew your name, address and phone number -- a violation of Sears' own privacy policy. And, by Monday, we have a $5 million class action lawsuit against Sears. While I do think Sears made a huge mistake here, the class action lawsuit seems a bit extreme. There's no evidence that anyone was actually hurt by this -- and while it was a dumb move by Sears, it's not difficult to understand how it likely came about. Chances are Sears will settle this quickly just to get it out of the news, but really the only winners will be (as per usual) the lawyers.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: class action, data breach, privacy
Companies: sears


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 8 Jan 2008 @ 7:23am

    well..

    While there may be no current evidence to state that anybody was hurt by this, we have so add 'yet' to that statement.
    in order to protect the identity of others, Sears should have fixed that the moment it was found.

    they didn't, they had over a week to fix it, they didn't, so they have to take it up the rear for their mistakes

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2008 @ 7:44am

    Um...exactly how did it not "protect the identify of others" since you had to know their name, address and phone number? Hello...grab a phonebook dude...you gonna sue YellowBook next?

    link to this | view in chronology ]

    • identicon
      hegemon, 8 Jan 2008 @ 7:51am

      Re:

      Yeah, that's the point. With no more information than what can be obtained from the phonebook, I can see a person's entire purchase history from Sears. If I wanted to, I could open up the phonebook and see the purchase history of every person in the city. While I don't know what, exactly, could be done to 'hurt' someone using their purchase history, it is still a violation of the privacy policy that needs to be addressed. At the very least, it could lead to embarassment.

      Frankly, Mr. Lamper needs to go down. As a former Sears employee, I would like to see nothing more than that moron's world come crashing down around him.

      link to this | view in chronology ]

      • identicon
        Fushta, 8 Jan 2008 @ 8:16am

        Look at That! New HDTV!

        How can someone be hurt by this?
        Hmm, let me see...
        Stanley & Vivian Thusandsuch just bought a 65" Samsung...
        I have their address...

        How long would it take a "mildly-crafty" thief to pull that one off?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Jan 2008 @ 9:08am

          Re: Look at That! New HDTV!

          It was probably alot easier for that "mildly-craft" thief to see the huge TV box sitting on the curb on trash day.

          link to this | view in chronology ]

          • identicon
            Boost, 8 Jan 2008 @ 9:57am

            Re: Re: Look at That! New HDTV!

            But that would be a privacy breach by the purchaser of the TV, not sears. In this case, it was Sears that made the privacy breach that could lead to the decreased security of the customer's home. Think before you type.

            link to this | view in chronology ]

        • identicon
          kilroy, 8 Jan 2008 @ 2:44pm

          Re: Look at That! New HDTV!

          But could you truly fault Sears? Is it possible that by putting out the cardboard box on garbage-day the home-owner provided the same information to would-be thieves?

          I see it all the time oh the guy living at # 33 on such & such a street just got a brand new Laser printer... chances are there is a computer too. Your shopping habits are far from secret I only have to follow you home from the big-box store to know where you take that HDTV.

          link to this | view in chronology ]

  • icon
    Killer_Tofu (profile), 8 Jan 2008 @ 7:46am

    Class Action Suit?

    While I am all against large companies leaking any data like this, I do not agree with a Class Action Lawsuit.
    The stupid lawyer who is filing this is going to keep at least half for "legal fee" bull .. poo.
    Lawyers are ruining us, one frivolous lawsuit at a time.

    Doesn't class action lawsuits need people that were hurt by something to be filed?
    How can the lawyer prove all the people that were affected and get them to join to make this an actual case?
    Did he just sit there plugging in names from a phone book until he had enough?

    Its just a lawyer money grab.

    link to this | view in chronology ]

    • identicon
      Dave S, 8 Jan 2008 @ 9:17am

      Re: Class Action Suit?

      While I am all against large companies leaking any data like this, I do not agree with a Class Action Lawsuit.

      While I do agree with you that we're being ruined by an excess of lawyers who need to make work for themselves, this is a case where the privacy-apathetic company needs to be slapped down for a) putting something like that up for public use without thinking it through first and then b) failing to fix or remove it immediately once a leak of private information was identified. Is a class-action suit the best way to do so? Maybe, maybe not. I don't know. But just ignoring it and hoping they'll eventually get around to plugging up the holes would not have accomplished anything.

      link to this | view in chronology ]

  • identicon
    Roebuck, 8 Jan 2008 @ 7:47am

    Cut 'em Some Slack

    While the name Sears may conjure up images of Kenmore appliances, Bob Vila pitching Craftsmen tools and questionable fashions, Sears is a decent business that offers a whole lot of quality goods, often at lower prices than their "upscale" competitors. I can cut them a lot of slack for this apparently minor breach mostly for one reason - they are one of the few businesses that has always paid people who have been called to active duty in the US military.

    When members of the National Guard from a number of states were called to serve in Iraq, the deployment disrupted a whole lot of families. Many of the men and women called to duty are married and have settled into their lives. Families of Sears employees who were called up continued to receive the regular paycheck of the family member who was called. To me, that's the right thing to do and I will always support this business, if for no other reason than to thank them for their patriotism.

    link to this | view in chronology ]

    • identicon
      Shalkar, 8 Jan 2008 @ 1:04pm

      Re: Cut 'em Some Slack

      I had no idea they did this. I have never heard of any business/company doing this. It certainly sways me over to their side.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2008 @ 9:27am

    The first anonymous coward was whining that Sears did nothing to protect the identity of others... in order to protect the identity of others, Sears should have fixed that the moment it was found. Sears did nothing to divulge the identity of anyone was my point. They may not have reacted fast enough to protect the identity of the purchases of its customers, but they didn't divulge the identity of those customers to begin with.

    link to this | view in chronology ]

  • identicon
    Glo, 8 Jan 2008 @ 10:25am

    it doesn't matter than nobody got hurt

    The point is that Sears intentionally disclosed customer data. This could not be attributed to incompetence. If it is incompetence, then this level of incompetence should be criminalized.

    The officers and directors at Sears need at least 90 days in Joe Arpaio's jail for this. Maybe $1Billion is an adequate fine.

    There is absolutely no excuse for this. None!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2008 @ 10:58am

    PIE!!!!!!!!

    link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 8 Jan 2008 @ 11:10am

    Re: It doesn't matter that nobody got hurt

    I concur. To borrow a line from "American Treasure", Somebody's got to go to prison. If not for this, then for the spyware that they're peddling.

    Until Cxx-level executives are held personally responsible for this kind of nonsense, it will continue. Nobody will lose their job. Nobody will lose their golden parachute. Nobody will lose anything -- except the victims, who have already lost anyway.

    So yeah, I recognize that the lawyers bringing this suit may ultimately turn out to be the only people who benefit from it. I'm fine with that, as long as it inflicts serious pain on Sears. My disappointment is really (a) the amount is 100X too small and (b) it's a civil action, so none of the Sears executives will shortly be calling an 8x8 box "home".

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Jan 2008 @ 11:18am

    So a class action lawsuit against sears because it was easy to see what you bought.

    Meanwhile other companies (and the government, in Ohio I believe it was) leak credit card information and social security numbers and don't even get fined.

    Yea, this isn't a money grab at all.

    link to this | view in chronology ]

  • identicon
    Twinrova, 8 Jan 2008 @ 12:41pm

    Good! Let the lawsuit begin!

    I don't believe the lawsuit is a bad thing. If ANYTHING comes out of this, it's a black eye for Sears for deliberately screwing over its most prized asset: its consumers.

    I despise it when companies do this. There was NO REASON for Sears to even want this data, let alone the politeness of just asking if it were okay to capture it.

    With T&Cs getting so verbose anymore, it has just become second nature to say "No" to everything, even if it means not ordering anything.

    In this day of identity theft, NO personal information should be taken without permission regardless how "safe" it may seem.

    For the poster who made the comment about YellowPages, sure, go get my information that way.

    Oh, wait. You can't. I don't publish my information.

    Had I signed up to Sears' smoke and mirror tactics of "community", I would have been boned with even more mailbox junk at the least.

    Now, if someone can start a "war" on why, all of a sudden, Verizon is allowing unsolicited text ads and making consumers pay for them.

    I had to stop all texting features because of it!

    DOWN WITH ADVERTISING!

    link to this | view in chronology ]

  • identicon
    Clueby4, 8 Jan 2008 @ 1:23pm

    Wipe it please!

    I'm sorry this was not a "mistake", they exposed all purchase histories, from what I heard. So even if the person had not created an account for the site the purchase histories were available.

    To get access and provide an infrastructure to this data is not trivial even without addressing security issues, which as this blunder illustrates were probably never considered.

    Screw Sears and any company that abuses the legal vacuum that is privacy. Me, I don't think it should be legal for companies to retain personal information, at all without written content, renewed even 6 months.

    link to this | view in chronology ]

  • identicon
    Rusty Shackleford, 8 Jan 2008 @ 3:47pm

    Loser Lawsuits

    Once again we see people trying to get rich quick. Although I cannot say Sears was in the wrong, I cant help but think the customer is reaching for the stars. I have had freinds like this... looking to make a lifestyle out of a simple mistake... not knowing the steps that were taken, the reaction recieved from the company... I can only look back to other events i have seen... like getting a trip to disneyland as payment for lost pictures at a photo lab... people expect to get the world handed to them, and in the end it costs us all

    link to this | view in chronology ]

  • identicon
    Cixelsid, 8 Jan 2008 @ 4:39pm

    I'm afraid of Americans and their lawsuits.

    link to this | view in chronology ]

    • identicon
      Rusty Shackleford, 9 Jan 2008 @ 6:44pm

      Re:

      And Canadians and theirs as well.... hope I spelled it right for you this time... lol

      link to this | view in chronology ]

  • identicon
    Someone who cares, 8 Jan 2008 @ 8:26pm

    RE: Wipe it please

    Quite frankly, I like Sears and enjoy shopping there...its one of the few stores left that cares about their customers. What I don't like is the rediculous language used from some of the earlier posts i.e. "they exposed all purchase histories"; "Screw Sears and any company that abuses the legal vacuum that is privacy". There would only be abuse here if they threw this stuff out for all to see, which aparently isn't the case-->people figured out a way to exploit the system.

    link to this | view in chronology ]

  • identicon
    Someone who cares, 8 Jan 2008 @ 8:30pm

    RE: Wipe it please

    "I don't think it should be legal for companies to retain personal information, at all without written content"--guess you also wanna give up your ability to return items since removing this info also removes your proof of purchase. You give them written consent when you type in the forms and agree to Terms and Conditions, just like anywhere else BTW.

    link to this | view in chronology ]

  • identicon
    Bonnie Walton, 21 Jul 2008 @ 4:43pm

    As apon recieving my credit report I noticed someone had used my name and had a current account of a maximum of $10,000 ! Calling the sears data center "NO-ONE" knew my name! As I look on this first report of suing them might be an option I might consider taking.

    link to this | view in chronology ]

  • identicon
    former, 5 Oct 2008 @ 4:56pm

    customer information

    before it became law sears printed complete account numbers on sales checks. as i employee we could use what was called a three part copy slip. this gave the account numbers to the delivery servicrs, employee's working on the dock and merchinsise pick up. we as sales people were encouraged to make these copies(to cover our own butts)there are thousands
    of employees and former employees with this information

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.