The rumblings over Facebook banning Robert Scoble have opened up all sorts of conversations about who owns or controls your data – see also: Data as currency. One issue that has been highlighted is how easy it is for people to scrape enough information about you to form an identity. Scoble was running an automated script to pull out contact details by the thousand.
Yesterday, another related article cropped up on Techmeme – Sears Exposes Customer Purchase History. It appears that Sears added a feature on their web site where you could look up your purchase history. All you had to do was enter your name, address and telephone number. Trouble is, whilst you had to have an account and login to the site, you could then enter anybody’s name, address and telephone number to view their purchases. Somebody forgot to restrict access to only purchases associated with the authenticated user. Since the news became public, Sears have disabled the feature to sort it out.
But it does raise yet another warning about how easy it is for companies to accidentally make too much information public, be it downloading database records to a CD or making those records available online. Mash-up poor (or missing) security controls with automated scripts to gather contact details and our criminal friends won’t need to go phishing for dinner.