Sears Exposed AI Chatbot Conversations and Text Exchanges to the Public Online

Sears department stores may have largely vanished from the American landscape, but the brand persists through its appliance repair service, now featuring a modern enhancement: an AI chatbot and phone assistant named Samantha. As this iconic retailer progresses into the future, recent findings reveal that discussions held with the chatbot were publicly available online.

Security researcher Jeremiah Fowler expressed surprise and concern last month upon discovering three publicly exposed databases housing extensive collections of chat logs, audio files, and text transcriptions containing personal information about customers of Sears Home Services. The Home Services sector claims to be the largest appliance repair service provider in the U.S. and boasts performing over seven million repairs annually.

The exposed databases identified by Fowler, which have since been secured, included 3.7 million chat logs, along with 1.4 million audio recordings and text transcripts dating from 2024 to the present. One CSV file related to the incident contained 54,359 full chat logs. Conversations observed by Fowler featured the chatbot introducing itself as “Samantha, an AI virtual voice agent for Sears Home Services,” alongside references to the company’s AI technology “kAIros.” This data repository contained conversations in both English and Spanish and revealed personal information about Sears clients, such as names, phone numbers, home addresses, and details regarding appliances, delivery appointments, and repairs.

“It’s important to recognize that this is real data belonging to real individuals,” states Fowler, a researcher at Black Hills Information Security. While companies may seek to reduce costs by implementing AI, he insists that they must not cut corners when it comes to safeguarding that data. “At the very least, these files should have been password-protected and encrypted,” he adds.

After discovering the publicly accessible databases in early February, Fowler reached out to Transformco, the parent company of Sears and Sears Home Services, and the databases were swiftly secured, he reports. The duration of the exposure online and whether anyone besides Fowler accessed the information during that time remains unclear. Transformco did not respond to several inquiries from WIRED regarding the accessibility of this information on the internet.

Fowler mentions that upon disclosing his findings to Transformco, he received a response indicating they would connect him directly with a manager of the Samantha AI Chatbot. However, this individual never got back to him, even after he followed up.

While any leaked customer data poses a risk, Fowler was especially worried about the Sears data for two main reasons. Firstly, such details could be highly valuable for phishing schemes, given that they include customers’ contact and home life information which could be manipulated for warranty fraud and other targeted attacks.

The second concerning aspect was the discovery that a surprising number of audio recordings captured lengthy periods of ambient sound after customers seemed to assume their calls had concluded. Some recordings extended up to four hours. It remains unclear why customers allowed calls to continue running post-conversation with the Sears AI agent, but these lengthy sessions may have inadvertently recorded private discussions and sensitive information that customers believed were confidential. “You could hear the TV, and you could hear people talking, and it recorded all of that,” states Fowler.