Petco Data Breach Exposes Customer SSNs, Licenses

Petco, a major retailer of pet products and services, recently confirmed a significant data breach that exposed highly sensitive customer information. Initially vague about the scope of the incident, the company later disclosed in a legally required filing with the Texas Attorney General's office that the compromised data includes names, Social Security numbers (SSNs), driver's license numbers, financial account details, credit or debit card numbers, and dates of birth.

The company attributed the exposure to an error within one of its software applications.

Petco also filed similar mandatory data breach notifications in California, Massachusetts, and Montana. While the company reported only one affected resident in Massachusetts and three in Montana, the exact number of California victims remains undisclosed. California law mandates disclosure for breaches affecting at least 500 state residents, suggesting a potentially larger impact in that state.

Petco spokesperson Ventura Olvera initially declined to answer specific questions regarding the breach, including the total number of customers affected, whether cybercriminals accessed the exposed data, the precise nature and timing of the identified issue, or the specific application involved. For context, Petco reported serving over 24 million customers in 2022. Olvera later provided a general statement to TechCrunch, confirming that the company had "provided further information to individuals whose information was involved."

A sample notification letter, published by California's Attorney General, sheds more light on the incident. Petco stated it discovered "a setting within one of our software applications that inadvertently allowed certain files to be accessible online." The company claims it "immediately took steps to correct the issue and to remove the files from further online access," along with implementing unspecified "additional security measures."

In response to the breach, Petco is offering free credit and identity theft monitoring services to affected customers in California, Massachusetts, and Montana. This provision is mandated by California law when sensitive data like driver's license numbers or Social Security numbers are compromised. It remains unclear whether similar services are being extended to victims in Texas.