Last week, the pet products and services giant Petco confirmed it experienced a data breach involving customers’ personal information. Initially, the company did not specify what type of data was affected.
On Friday, in a legally required filing with the Texas attorney general’s office, Petco reported the compromised data included names, Social Security numbers, driver’s license numbers, financial information such as account numbers and credit or debit card numbers, and dates of birth. Petco also filed similar required notices in California, Massachusetts, and Montana. In Massachusetts and Montana, Petco reported one and three affected residents respectively.
The company did not disclose the exact number of victims in California. However, state law requires companies to disclose breaches involving at least 500 residents, suggesting the number of victims in California exceeds that figure. Petco spokesperson Ventura Olvera did not respond to a series of questions sent on Monday, which included how many customers in total were affected. For context, in 2022, Petco stated it served more than 24 million customers.
In a statement to TechCrunch on Friday, spokesperson Ventura Olvera said the company had provided further information to the individuals whose information was involved. California’s attorney general published a sample letter that Petco is sending to affected customers. The message explained that Petco discovered an issue with a setting within one of its software applications that inadvertently allowed certain files to be accessible online. The company stated it immediately took steps to correct the issue, removed the files from further online access, corrected the setting, and implemented additional security measures.
The company is offering free credit and identity theft monitoring services to victims.