Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/7/2008
03:43 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Privacy Lawsuit Against Sears Is Ridiculous

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.Last week, privacy researcher Ben Edelman wrote about managemyhome.com, a Sears Web site that lets customers track purchases and product warranties. Once you created an account, you could track your purchase history by entering your name, address, or phone number. Edelman noticed you could enter any other name and address you wanted. If the information matched a Sears customer record, the site displayed a purchase history. It's a textbook example of poor Web application security, and Sears should have known better. The company has since disabled the site.

While it was a dumb mistake, the information revealed was relatively harmless: products, model numbers, purchase dates, and warranty information. The site did not reveal credit card information or other sensitive data.

That hasn't stopped the firm KamberEdelson from filing a class-action compliant for $5 million against Sears. It's hard not to laugh as you read the complaint.

Here's the terrible harm that plaintiffs may have suffered: "… a nosy person can find out how much his neighbor spent on a new washing machine or lawnmower." Is that really worth $5 million?

The claim goes on to cobble together other scenarios without a shred of evidence that any of them occurred. For instance, marketers might mine the site to send advertisements to Sears customers -- as if Sears isn't already selling that information to business partners and affiliates.

It also invokes insidious hackers, who might access the data to pretend to be from Sears and then trick people into giving up credit card or Social Security numbers.

While conceivable, this scheme strikes me as unlikely. Fraudsters would have to start blind, by randomly entering names and addresses from the phone book one by one in hopes of finding a match. It's a time-intensive, low-margin scam, particularly when bundles of stolen credit card numbers are available all over the Internet. And would you really give your Social Security number to the Maytag man?

The last thing the privacy movement needs is a flood of frivolous lawsuits that capitalize on the legitimate fear that corporations put our sensitive data at risk. This lawsuit smacks of naked opportunism, and it ticks me off as much as Sears' dumb mistake.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.