Sears Home Services AI Chatbot Exposed Millions of Customer Conversations Security researcher Jeremiah Fowler uncovered a major data exposure involving Sears Home Services, the largest appliance repair provider in the U.S., which performs over seven million repairs annually. Between 2024 and early 2025, three unsecured databases containing 3.7 million chat logs, 1.4 million audio files, and text transcripts were left publicly accessible online. The exposed data included customer interactions with "Samantha," Sears’ AI virtual assistant, powered by the company’s "kAIros" technology. Records revealed personal details such as names, phone numbers, home addresses, appliance information, and repair appointment schedules. Many conversations were in both English and Spanish. Of particular concern were the audio recordings, some lasting up to four hours far beyond the intended customer service calls. Fowler noted that ambient audio, including private conversations and background noise, was captured after customers believed their calls had ended. This raised significant privacy risks, as sensitive discussions may have been recorded without consent. Fowler reported the exposure to Transformco, the parent company of Sears and Sears Home Services, in early February. The databases were secured shortly after, though it remains unclear how long they were exposed or whether unauthorized parties accessed them. Transformco did not respond to requests for comment. The incident highlights vulnerabilities in AI-driven customer service systems, where cost-saving measures may overlook critical security safeguards. The exposed data could be exploited for phishing scams, warranty fraud, or other targeted attacks, given the detailed personal and household information it contained.

The Washington State Office of the Attorney General reported a data breach by Sears Holdings on April 24, 2018. The breach occurred from September 27, 2017, to October 12, 2017, affecting 2,373 individuals in Washington. The compromised information included names and payment card information due to a cyberattack involving malicious script inserted by an unauthorized individual.