Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Sears stores It has largely disappeared across the United States, however Brand Its appliance repair service is still running, with a modern twist: an Artificial intelligence chatbot The phone assistant’s name is Samantha. As the landmark retailer steps into the future, new research shows that conversations people had with a chatbot are being publicly exposed online.
Since Sears remains a trusted name but largely out of the public eye, security researcher Jeremiah Fowler was surprised and upset last month When he found Three publicly exposed databases contain massive amounts of chat logs, audio files, and transcripts of audio containing personal details about Sears Home Services customers. Home Services Department He claims that The “largest provider of appliance repair services” in the United States, reportedly performing more than seven million repairs each year.
The exposed Sears databases revealed by Fowler, which have since been secured, contain 3.7 million conversation records, as well as 1.4 million audio and plain text files from 2024 to this year. Fowler found that one CSV file about the incident contained 54,359 complete conversation records. The conversations seen by Fowler included the chatbot introducing itself as “Samantha, Sears Home Services’ AI virtual voice agent,” with the logs also including the name of the company’s AI technology.Kairos.The data cache contained conversations in English and Spanish and included personal information about Sears customers, such as names, phone numbers, home addresses, owned appliances, and information about delivery times and repairs.
“The thing to remember is that this is real data from real people,” says Fowler, a researcher at information security firm Black Hills. While companies may be able to save money by deploying AI, he stresses that it is important “not to take any shortcuts when it comes to protecting and securing that data. At the very least, those files should be password protected and encrypted.”
After finding the databases publicly accessible in early February, Fowler emailed employees at Transformco, the company that owns Sears and Sears Home Services, and the databases were quickly secured, he says. It is unclear how long the online databases were exposed and whether anyone other than Fowler had access to them during that period. Transformco did not respond to multiple requests for comment from WIRED about the information available to anyone on the web.
Fowler says that when he disclosed the finding to Transformco, he received a response from someone who claimed they were connecting him directly to the director of the Samantha AI Chatbot. He says the person never responded to him, even after a follow-up message.
Any exposed customer data is a problem, but Fowler was particularly concerned about Sears’ data for two reasons. First, such information can be extremely useful in phishing attacks, because it includes details about customers’ contact information and home lives, including their devices, which can be exploited for warranty fraud and other targeting.
The second shock came from the fact that a surprising number of voice calls picked up hours of ambient audio after customers apparently thought the call had ended. Some recordings were up to four hours long. It’s not clear why customers left calls running once they finished speaking to a Sears AI agent, but these extended recording sessions may have captured private conversations and sensitive details that Sears customers thought they were discussing privately as they went about their days. “You could hear the TV turning on, you could hear people talking, and it recorded all of that,” Fowler says.