Sears exposed customer conversations with AI chatbot to all internet users

American retailer Sears had a serious data breach: customer conversations with the corporate AI chatbot — including phone call recordings and text exchanges — were left openly accessible on the internet. Anyone could view them without authorization and without any special technical skills. According to an investigation by Wired, what was publicly exposed wasn't just technical logs.

The conversations contained customer names, contact information, email addresses, and specific purchase details — when a purchase was made, what exactly, and what problems arose. This is exactly the kind of information that is gold for fraudsters: knowing a person's name, what product they bought, and when they contacted support, a scammer can construct a convincing phishing scenario. The attack scheme looks like this: a scammer calls a Sears customer and poses as a company employee.

"Hello, Maria. We're calling about your refrigerator order from April 12 — there are problems with delivery." The person doesn't sense any deception: the details match perfectly.

Next comes a request to confirm payment information, pay for "re-delivery," or follow a link to "confirm your address." This scenario is called spear phishing — it works orders of magnitude more effectively than mass mailings precisely because it uses the victim's real personal data. The Sears incident is not an isolated case, but a symptom of a systemic problem.

As retailers, banks, and service companies mass-deploy AI chatbots for customer service, the volume of personal data these systems collect and store is growing rapidly. Modern chatbots conduct full-fledged conversations, remember the context of previous interactions, and have access to order history. This makes them useful support tools — and simultaneously dangerous points of failure when data storage is configured improperly.

From a security perspective, chatbot conversation logs are particularly valuable to attackers for several reasons. Customers communicate with bots openly — describing problems with details they wouldn't share with a stranger. The data is structured and easily processed: name, date, type of request — a ready-made profile for an attack.

Finally, users don't expect that their technical correspondence with a bot could become public, and they don't exercise caution the way they would when filling out official forms. Sears' response to the incident remained unknown at the time of publication. The company is going through difficult times: once the largest American retailer, it has shrunk to a small chain after years of financial troubles and bankruptcy in 2018.

Implementing AI tools to reduce customer support costs makes logical sense in a survival strategy — but cutting corners on data security turns into risks that could cost significantly more. This case raises a broader question: how ready are companies to responsibly deploy AI systems that work with sensitive data? The EU already has the AI Act in place with risk assessment requirements.

In the US, the FTC consistently pursues companies for inadequate consumer data protection — and breaches of this scale clearly fall within its scope of interest. For regular users, the conclusion is simple: an unexpected call that knows too much about your purchases may not be a coincidence, but a direct consequence of a breach you were never warned about.