Sears Exposed AI Chatbot Phone Calls and Text Chats to Anyone on the Web
Sears Department Stores have largely disappeared in the United States, but the brand and its appliance repair service are still in business, with a modern twist: an AI chatbot and a phone assistant named Samantha. As the historic retailer looks to the future, new research shows that the conversations people had with the chatbot were publicly exposed online.
Given that Sears is still a trusted name but largely out of the public eye, security researcher Jeremiah Fowler was surprised and alarmed last month when he discovered three publicly exposed databases containing massive amounts of chat logs, audio files and verbatim transcriptions of audio containing personal details about Sears Home Services customers. The Home Services division claims to be the “largest provider of home appliance repair services” in the United States and states that it performs more than seven million repairs each year.
The exposed Sears databases discovered by Fowler, which have since been secured, contained 3.7 million chat logs, as well as 1.4 million audio files and plain text transcripts from 2024 to this year. Fowler discovered that a CSV file about the incident contained 54,359 complete chat logs. The conversations Fowler saw included the chatbot introducing itself as “Samantha, an AI virtual voice agent for Sears Home Services,” with the logs also including the name of the company’s AI technology “kAIros.” The data cache contained chats in English and Spanish and included personal information about Sears customers, such as names, phone numbers, home addresses, appliances owned, and information about delivery appointments and repairs.
“The bottom line is that this is real data from real people,” says Fowler, a researcher at Black Hills Information Security. While companies can save money by deploying AI, he stresses that it’s crucial that they “take no shortcuts when it comes to protecting and securing this data. At the bare minimum, these files should have been password protected and encrypted.”
After finding the databases publicly available in early February, Fowler emailed staff at Transformco, the company that owns Sears and Sears Home Services, and the databases were quickly secured, he says. It is unclear how long the databases were exposed online and whether anyone other than Fowler accessed them during that time. Transformco did not respond to multiple requests for comment from WIRED regarding what information is available to anyone on the web.
Fowler says that when he disclosed the discovery to Transformco, he received a response from someone who claimed they were putting him directly in touch with a manager at Samantha AI Chatbot. He claims this person never responded to him, even after a follow-up message.
Any exposed customer data is problematic, but Fowler was particularly concerned about the Sears data for two reasons. First, this information would be extremely useful in phishing attacks because it includes details about customers’ contact details and personal lives, including their home appliances, which could be exploited for warranty fraud and other purposes.
The second shock came from the fact that a surprising number of audio calls captured hours of ambient audio when customers apparently thought a call was over. Some recordings lasted up to four hours. It’s unclear why customers left calls in progress once they finished speaking to the Sears AI agent, but these extended recording sessions may have captured private conversations and sensitive details that Sears customers thought they would discuss privately as they went about their days. “You could hear the TV playing, you could hear people having conversations, and it was all recorded,” Fowler says.
