Sears’ AI Chatbot Exposes Large Amounts of Sensitive Customer Data
Renowned department store chain, Sears, may have disappeared from sight in the United States, but its reputation and device repair service still stand – now equipped with a modern twist: an AI chatbot and a phone assistant named Samantha. However, the brand’s technological advancements have not been without controversy. Recent research reveals that conversations with the chatbot were made publicly available online, raising serious concerns about data privacy.
A Surprising Discovery of Publicly Available Data
Security researcher Jeremiah Fowler made a surprising and concerning discovery last month. He found three publicly accessible databases containing vast amounts of chat logs, audio files, and text transcriptions of audio, all revealing personal information about Sears Home Services customers. Sears Home Services claims to be the “largest provider of home appliance repairs” in the United States, completing over seven million repairs annually. This revelation could potentially put a significant number of customers’ data at risk.
The Extent of the Exposed Data
The databases discovered by Fowler, which have since been secured, contained 3.7 million chat logs and 1.4 million audio files and plain text transcripts from 2024 to the present year. A CSV file detailing the incident revealed 54,359 complete chat logs. Conversations included the chatbot introducing itself as “Samantha, an AI virtual voice agent for Sears Home Services.” The logs also revealed the name of Sears’ AI technology, “kAIros.” The data cache contained chats in both English and Spanish and included personal details about Sears customers, such as their names, phone numbers, home addresses, device ownership, and delivery schedules and repair information.
The Importance of Data Security in AI Technology
“You have to remember that this is real data from real people,” warns Fowler, a researcher at Black Hills Information Security. He stresses the importance of data security in AI technology, stating that while companies may save money by using AI, they must not cut corners when it comes to protecting and securing this data. “At a minimum, these files should be password protected and encrypted,” Fowler insists.
The Response from Transformco
Upon discovering the databases in early February, Fowler alerted Transformco, the parent company of Sears and Sears Home Services. The databases were promptly backed up, but it remains unclear how long they were available online and whether anyone other than Fowler had access to them during that time. Despite attempts to reach out, Transformco has yet to respond to requests for comments on the matter.
The Potential Consequences of the Data Exposure
All exposed customer data is problematic, but the data from Sears was particularly concerning for Fowler for two reasons. Firstly, the detailed customer information could be exploited for phishing attacks, warranty fraud, and other targeted attacks. Secondly, a number of the audio calls recorded ambient noise for hours after customers believed the call had ended. Some recordings lasted up to four hours, potentially capturing private conversations and sensitive details. “You could hear the TV, you could hear people talking, and it was all being recorded,” Fowler says.
The incident serves as a stark reminder of the importance of data security in our increasingly digital world. As AI technology continues to evolve, it is crucial that companies prioritize their customers’ privacy and security.
For more detailed information about this incident, you can read the full report here.
