Petco breach exposes SSNs and payment card data

Bill Thompson
By Bill Thompson
News
6 Min Read

Petco has admitted a data breach leading to customer information including Social Security numbers and payment card details being among files inadvertently exposed online due to an insecure software setting.

The company claims that it blocked unauthorized access as soon as the problem was brought to its attention and has been informing those affected.

Table of Contents
Petco data breach exposing SSNs and payment card data, cybersecurity concept

What happened, and what personal data was exposed

One of Petco’s applications was configured to serve up certain files on the internet, according to disclosures that the company shared with state attorneys general. Those files included personal information on individuals, including names and dates of birth, Social Security numbers, driver’s license numbers, bank account information, and credit or debit card details. Petco said that the exposure was identified and a patch put in place as soon as it was discovered.

Although the forensic investigation is still underway, the mix of SSNs, licenses, and financial data would put victims at higher risk for identity theft. Unlike passwords, SSNs and government ID numbers are not so easily changed, which raises the long-term stakes for anyone who is affected.

Scope of impact and state regulatory filings

It was not immediately clear from Petco how many customers in total were affected. The retailer has around 24 million customers a year and has reported breaches in a number of states. Filings show at least one affected resident in Massachusetts and three in Montana. In California, the company’s notice indicates that at least 500 residents have been affected — the minimum required for public disclosure in that state.

A filing with the Texas Attorney General, however, does provide slightly more detail on the kind of data that was exposed and reiterates that access was shut off when the problem was discovered. The TechCrunch reporting made the issue more widely known.

Why this breach matters for consumers and safety

When SSNs and driver’s license numbers are included, suspects can try for loan applications, account openings, tax fraud, or to establish synthetic identities. Bank and card details may enable direct financial fraud or serve as a tool in targeted phishing. Even if credit card details are incomplete, they can be used in concert with data stolen in other breaches to increase the success rate of scams.

The Petco logo, featuring the word petco in red lowercase letters, followed by a stylized red dog and a blue cat sitting together. The background is white.

Petco says it is providing free credit monitoring to anyone who gets a notice. Security experts also suggest consumers consider a credit freeze with all three major bureaus, set up transaction alerts on bank and card accounts, and be wary of specific phishing emails that mention the retailer or orders they may have recently placed. If you see something that looks fishy, report identity theft and contact your financial institutions right away.

Broader trend of misconfigurations fueling breaches

Misconfigured cloud tools and apps are still to blame for many incidents.

The human factor of errors, misuse, and social engineering has been at the core of a huge proportion of incidents, according to Verizon’s Data Breach Investigations Report. The record 3,205 publicly reported data breaches in the United States last year, compiled by the Identity Theft Resource Center, underscore how common such incidents have become.

Shopping sites are prime victims because they hold a treasure trove of consumer data and networks that link to multiple vendors. There is no public evidence linking the Petco incident to other recent large-scale breaches of third-party platforms, but it underscores the systemic risk that comes from interlocked software and supply chains.

Company’s response and possible liability

Petco said it immediately rectified the misconfiguration, blocked access, and retained external cybersecurity consultants to help with its investigation. “Those affected are being notified by email detailing membership in monitoring services and the steps they may take to protect their information.” The company is also consulting with state regulators.

Per privacy regulations like California’s CCPA/CPRA, companies generally must alert residents when some of their personal information is compromised and may be the subject of regulatory investigation and civil litigation. Its latest Cost of a Data Breach report puts the global average per-breach cost at $4.88M (covering response, remediation, legal services, and so on — costs which clearly go up when hacks involve sensitive identifiers such as SSNs).

What to do now if you’re a Petco customer affected

  • Sign up for the credit monitoring Petco is providing.
  • Consider freezing your files with Equifax, Experian, and TransUnion.
  • Set up alerts for all bank and card accounts.
  • Scrutinize statements and dispute unauthorized charges as soon as possible.
  • Delete any phishing attempts that appear to be from Petco or that reference personal information.
  • No legitimate message will request full SSNs or complete card numbers in an email or text; do not provide them.
  • Use the retailer’s official support channels instead of clicking links within unexpected messages.
  • Keep breach notification letters in a safe place.
  • During tax season, apply for an IRS Identity Protection PIN to help guard against fraudulent returns.
Bill Thompson
ByBill Thompson
Bill Thompson is a veteran technology columnist and digital culture analyst with decades of experience reporting on the intersection of media, society, and the internet. His commentary has been featured across major publications and global broadcasters. Known for exploring the social impact of digital transformation, Bill writes with a focus on ethics, innovation, and the future of information.
Latest News