informa
/
Risk
Commentary

Privacy Lawsuit Against Sears Is Ridiculous

Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.
Usually I support lawsuits against big corporations that expose sensitive customer information. Most corporations only take privacy seriously when you whack them on the nose. But a $5 million suit recently filed against Sears for exposing customer purchases is more about cashing in than redressing harm.Last week, privacy researcher Ben Edelman wrote about managemyhome.com, a Sears Web site that lets customers track purchases and product warranties. Once you created an account, you could track your purchase history by entering your name, address, or phone number. Edelman noticed you could enter any other name and address you wanted. If the information matched a Sears customer record, the site displayed a purchase history. It's a textbook example of poor Web application security, and Sears should have known better. The company has since disabled the site.

While it was a dumb mistake, the information revealed was relatively harmless: products, model numbers, purchase dates, and warranty information. The site did not reveal credit card information or other sensitive data.

That hasn't stopped the firm KamberEdelson from filing a class-action compliant for $5 million against Sears. It's hard not to laugh as you read the complaint.

Here's the terrible harm that plaintiffs may have suffered: "… a nosy person can find out how much his neighbor spent on a new washing machine or lawnmower." Is that really worth $5 million?

The claim goes on to cobble together other scenarios without a shred of evidence that any of them occurred. For instance, marketers might mine the site to send advertisements to Sears customers -- as if Sears isn't already selling that information to business partners and affiliates.

It also invokes insidious hackers, who might access the data to pretend to be from Sears and then trick people into giving up credit card or Social Security numbers.

While conceivable, this scheme strikes me as unlikely. Fraudsters would have to start blind, by randomly entering names and addresses from the phone book one by one in hopes of finding a match. It's a time-intensive, low-margin scam, particularly when bundles of stolen credit card numbers are available all over the Internet. And would you really give your Social Security number to the Maytag man?

The last thing the privacy movement needs is a flood of frivolous lawsuits that capitalize on the legitimate fear that corporations put our sensitive data at risk. This lawsuit smacks of naked opportunism, and it ticks me off as much as Sears' dumb mistake.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5