U.S. pet products and services retailer Petco has disclosed a customer data exposure that made highly sensitive personal information accessible online due to a misconfigured software setting.
The company has notified regulators in multiple U.S. states, including Texas, California, Massachusetts and Montana, and begun informing affected individuals. Letters to customers filed with the states’ attorneys general confirmed that an unauthorized party could access their personally identifiable information.
Regulatory Notices Reveal Exposure of High-Risk Personal Data
Petco has not said how many customers were affected in total, although California state law requires companies to disclose breaches affecting more than 500 customers. The retailer serves around 24 million customers.
The sensitivity of the data involved, which includes customers’ social security numbers (SSNs), driver’s license numbers, dates of birth and financial account information, has made the incident significant regardless of the scale.
That information provides the identifiers most frequently used by fraudsters in identity theft, account takeover, tax fraud and other crimes. Even a small number of victims is enough to generate lasting financial and emotional fallout.
SSNs and bank account details are not as easily reissued as a password reset, and security risks can persist for years. That causes prolonged anxiety for customers and requires brands to invest in extended repair work in rebuilding relationships.
An Internal System Error With Customer Experience Implications
Petco attributed the incident to an internal software configuration error. In the notice filed with California’s attorney general, the company wrote that it discovered “a setting within one of our software applications that inadvertently allowed certain files to be accessible online.”
“We discovered the issue on our own through a routine security review. After discovering the issue, we immediately took steps to correct the issue and to remove the files from further online access.”
The company added that it has implemented “additional security measures and technical controls to enhance the security of our applications.”
Petco is also offering the affected customers access to free credit and identity monitoring services. In California, the company is offering complimentary access to Epiq for a specified period, while the Massachusetts notice offers free Single Bureau Credit Monitoring and proactive fraud assistance through Cyberscout, a TransUnion company.
Law firms including Lynch Carpenter, which has offices in California as well as Pennsylvania and Illinois, and Federman & Sherwood, with offices Texas and Oklahoma, are investigating whether the Petco data breach could have been prevented and what rights affected individuals may have. They are inviting affected customers to contact them with a view to potentially launching class action lawsuits.
The incident is not the only security lapse Petco has had to deal with this year. The company has taken part of its veterinary services business Vetco Clinics’ website offline this week after TechCrunch alerted it to exposed data relating to Vetco customers and their pets.
And earlier this year, Petco was part of a Salesforce breach by hackers connected to the Scattered Lapsus$ Hunters collective, who allegedly stole from a database of customer information, affecting multiple brands including Google.
The recurrence of data exposures at Petco, along with a series of high-profile cybersecurity breaches at other retailers this year, reinforces the reality that data governance is no longer just a privacy or security concern; it is increasingly a customer experience function. How organizations secure, collect, store and audit customer data is inseparable from their brand integrity.
