A software misconfiguration led to sensitive data being accessible online, triggering disclosures in multiple states and raising concerns over Petco’s cybersecurity practices.
Data Breach at Petco Now Confirmed to Include Highly Sensitive Information
Petco has officially confirmed a serious data breach that compromised highly personal customer information, including:
- Full names
- Social Security numbers (SSNs)
- Driver’s license numbers
- Financial data, including account and card numbers
- Dates of birth
The scope of the breach was revealed Friday in a mandatory filing with the Texas attorney general’s office, and similar notices have since been submitted in California, Massachusetts, and Montana.
Likely Thousands Affected — But Numbers Remain Vague
Petco has not disclosed the total number of victims, but some details give insight into the scale:
- In California, state law requires notification if 500 or more residents are affected — and Petco filed a disclosure.
- Massachusetts and Montana reported only 1 and 3 victims, respectively.
- The Texas filing confirms exposure of highly sensitive identity and financial data.
Given Petco’s reported 24 million customers as of 2022, the potential exposure could be significant.
Cause: Misconfigured Software Setting
According to a customer notification letter published by the California Attorney General, the breach was caused by:
“A setting within one of our software applications that inadvertently allowed certain files to be accessible online.”
Petco says it took immediate action to fix the issue and implemented additional, unspecified security measures.
However, the letter does not clarify:
- Which software system was involved
- How long the data was exposed
- Whether any malicious actors accessed the data
Petco Offers Identity Protection — But Not in All States (Yet)
Affected customers in California, Massachusetts, and Montana are being offered free credit and identity theft monitoring services, as required by law when SSNs or driver’s licenses are compromised.
However, Petco has not confirmed whether similar protections are being extended to victims in Texas, despite the severity of the data involved.
Company Remains Silent on Key Questions
Petco spokesperson Ventura Olvera issued a brief statement confirming the breach but did not respond to detailed questions about:
- Total number of affected customers
- Whether cybercriminals accessed or stole data
- When the issue was discovered and resolved
- The specific application involved
This lack of transparency is likely to fuel consumer concern and could invite regulatory scrutiny, especially if more states or federal authorities become involved.
Regulatory and Reputational Fallout Likely
Petco’s breach highlights the growing cybersecurity risks for companies handling large volumes of consumer data — particularly when caused by basic misconfigurations, which are preventable.
With financial, identity, and licensing data exposed, victims could face long-term risks of fraud and identity theft.
In the coming weeks, more information may emerge regarding:
- The number of total affected individuals
- Whether any data was actively stolen
- Potential class action lawsuits or regulatory penalties
Petco has confirmed a data breach exposing customers’ SSNs, driver’s licenses, financial data, and more, due to a misconfigured software setting. While disclosures were filed in four states, the full scale remains unclear. Petco has offered identity protection in select states but declined to answer key questions about the breach.
