Petco has disclosed that a recent security lapse exposed sensitive customer information including Social Security numbers, driver’s license numbers, and financial data, according to filings made with multiple U.S. state regulators after the company initially confirmed a breach without detailing the scope of the data involved.
Details Disclosed in State Filings
In a filing submitted on Friday to the Texas attorney general’s office, Petco said the compromised data included customer names, Social Security numbers, driver’s license numbers, financial information such as bank account numbers and credit or debit card numbers, and dates of birth.
Petco also submitted legally required breach notices in California, Massachusetts, and Montana. In Massachusetts, the company reported that one resident was affected, while in Montana it reported three affected residents.
Petco did not disclose the total number of affected customers in California. Under state law, companies are required to notify the attorney general only when at least 500 residents are impacted, indicating that the number of affected individuals in California likely meets or exceeds that threshold.
Company Response and Lack of Technical Detail
Petco spokesperson Ventura Olvera did not respond to a series of questions sent on Monday. The questions included how many customers were affected nationwide, whether the company has logs or other technical evidence showing whether cybercriminals accessed or exfiltrated the exposed data, when the issue was identified, and which software application was involved.
For comparison, Petco reported serving more than 24 million customers in 2022.
In a statement to TechCrunch on Friday, Olvera said the company had “provided further information to individuals whose information was involved.”
Cause of the Exposure and Mitigation Steps
California’s attorney general published a sample notification letter that Petco is sending to affected customers. In the letter, Petco said it discovered an issue with “a setting within one of our software applications that inadvertently allowed certain files to be accessible online.”
The company said it “immediately took steps to correct the issue and to remove the files from further online access,” corrected the faulty setting, and implemented what it described as additional security measures. The letter did not specify what those additional measures were.
Credit and Identity Monitoring for Victims
Petco is offering free credit and identity theft monitoring services to affected customers in California, Massachusetts, and Montana. Under California law, such services must be provided when a breach involves exposure of Social Security numbers or driver’s license numbers.
It remains unclear whether Petco is offering the same monitoring services to affected customers in Texas.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.