Petco breach exposed SSNs and driver license numbers

Petco has acknowledged a data breach involving the compromise of card payment systems and swiping machines, which led to exposure of customer data containing extremely sensitive personal information such as Social Security numbers and driver license numbers, according to copies of regulatory notices filed with several state attorneys general. The company said the exposure was due to a misconfigured setting in one of its software applications that unintentionally made files accessible on the internet.

What Petco says happened in the misconfiguration incident

Legal filings in Texas and notices to authorities in California, Massachusetts and Montana say that the exposure originated from a misconfigured setting. A sample notice posted by California’s attorney general says the setting has been fixed and exposed files removed, with further precautions taken.

Petco has not provided information about how many customers were involved, whether unauthorized individuals accessed or downloaded the information, or which application was responsible. As TechCrunch first reported, the company offered no comment to those specific questions. California’s threshold for notices is prompted only when at least 500 residents are affected, and so the actual number of victims may be substantially higher.

What data was exposed in the Petco misconfiguration breach

The notices noted that affected data included names, Social Security numbers, driver license numbers, dates of birth, and financial information including account or payment card numbers. This combination is particularly sensitive. SSNs, birth dates and license numbers are the edifice of identity theft and synthetic identity fraud, which bad actors can use to open credit lines, take over accounts or file phony tax returns.

Because the breach affected files that were available to access online, the threat is not necessarily confined by a one-time intrusion. With public availability of the files, there is also the likelihood that scraping might have been automated or silent downloads would leave minimal traces, making it difficult to confirm how widely accessed this became.

How much impact could there be for affected Petco customers

Petco says publicly it serves tens of millions of customers, highlighting its possible reach if just a fraction were affected. In some of those filings, reference was made to a relatively small number of local residents, but that snapshot isn’t the full measure nationwide. Without seeing a pinned number scroll past, it’s on customers and regulators to do the math based on a combination of state-specific thresholds and the kinds of data that was exposed.

For consumers, the nuance of the data is more important than the raw number. Tails on SSNs and government ID numbers are longer. Unlike passwords, which can be changed, those identifiers persist and circulate in criminal markets for far longer.

Misconfiguration still the leading security weakness

Mistakes are a longstanding culprit when it comes to source code exposures — especially as companies use more complicated cloud apps and interconnected platforms. Verizon’s Data Breach Investigations Report has consistently found failures in configurations and other human mistakes as a major factor contributing to breaches, and another report by IBM on the cost of a data breach has indicated that incidents with personal records involved are the most costly for organizations to face.

The pattern is a familiar one: a permissive setting here, an overly broad policy there, a forgotten test bucket and — presto! — internal files end up exposed to the public. This is only preventable with layered controls like default-deny policies, automated configuration scanning, least-privilege access and continuous monitoring tied to alerting on anomalous file exposures.

What customers should do to protect against identity fraud

Petco is providing credit and identity monitoring as may be required in your jurisdiction when SSNs or driver license numbers are accessed. Residents who are notified to enroll should, and others should consider taking further action regardless of where they live.

• Put a credit freeze with Equifax, Experian and TransUnion to prevent new applications for credit.
• Place a fraud alert on your credit report and review your credit reports routinely.
• Keep a close eye on bank and card statements, establish transaction alerts and report any suspicious activity right away.
• To help prevent tax refund fraud, ask the IRS for an Identity Protection PIN.
• Contact your state motor vehicle agency to inquire about tracking or replacing your license number if necessary.
• Be careful of authority-based phishing that pretends to be legitimate by using pet purchases, grooming or veterinary services as examples.

Regulatory and legal exposure following data breach reports

State attorneys general have the authority to investigate how these companies handle data and then secure some form of a remedy when sensitive information is exposed. In California, privacy laws mandate extensive breach notifications and allow for statutory damages in some cases of insufficient security. If the breach included payment card or financial account information, additional industry requirements may be applicable.

Class action litigation frequently follows data breaches involving SSNs and government IDs, focusing on alleged security lapses as well as the long-term risk of identity theft. The legal and regulatory result will depend on forensics around access, timeliness of detection, and sufficiency of technical controls.

The bottom line for Petco customers after the data exposure

All it takes is one misconfigured application setting and you can expose some of the most precious information a retailer stores. Until Petco explains how many of its customers were affected and if the files have been accessed, consumers should assume their information might be at risk. Stronger configuration management and ongoing validation of access controls are still needed to avoid the next exposure.