Last week, the pet products and services giant Petco confirmed it experienced a data breach involving customers’ personal information. At the time, the company did not specify what type of data was affected.
On Friday, in a legally required filing with the Texas attorney general’s office, Petco reported the compromised data included names, Social Security numbers, driver’s license numbers, financial information such as account numbers and credit or debit card numbers, and dates of birth. The company filed similar legally required notices in California, Massachusetts, and Montana. In Massachusetts and Montana, Petco reported one and three affected residents, respectively.
The company did not disclose the exact number of victims in California. However, California law requires companies to disclose breaches involving at least 500 state residents, which suggests the number of victims in California exceeds that figure.
Petco spokesperson Ventura Olvera did not respond to a series of questions sent on Monday. These questions included how many customers in total were affected, whether Petco has technical means to determine if cybercriminals accessed and stole the exposed data, what and when the specific issue was identified, and what application was involved in the incident. For context, in 2022 Petco reported it served more than 24 million customers.
Also on Friday, Petco spokesperson Ventura Olvera provided a statement saying the company had “provided further information to individuals whose information was involved.”
California’s attorney general published a sample letter that Petco is sending to affected customers. The message stated Petco discovered an issue with a setting within one of its software applications that inadvertently allowed certain files to be accessible online. The company said it immediately took steps to correct the issue, removed the files from further online access, corrected the setting, and implemented additional security measures.
Petco is offering free credit and identity theft monitoring services to victims in California, Massachusetts, and Montana. Under California law, for example, companies must provide these services if a breach exposes a driver’s license number or Social Security number. It is unclear if Petco is also offering these services to victims in Texas.