Petco Breach, Temu Spyware Claims, as Ransomware Toll Hits $4.5B

Bill Thompson
By Bill Thompson
News
6 Min Read

A wild week in cybersecurity has consumers and businesses on edge. Petco reported a breach that involved some of its most sensitive customer data, Arizona alleged that Temu operates a retail app that sounds a lot like spyware, and ransomware payments by U.S. organizations have now exceeded $4.5 billion, new figures show. Here’s what happened, what it means, and what you can do to protect yourself.

What We Know About the Petco Breach So Far

Petco acknowledged an intrusion affecting customer records but has not disclosed how many individuals were affected publicly. Notices suggest the treasure trove may also contain names, emails, dates of birth, Social Security numbers, driver’s license details, and financial information, including bank accounts and credit or debit card details. The company says it is informing affected customers and warning people to be on the lookout for scams.

Table of Contents
The Temu logo, featuring white icons of a dress, a rocking horse, a high-heeled shoe, and a handbag above the word TEMU in white, all set against a vibrant orange background. The image has been resized to a 16:9 aspect ratio.

Identity theft and targeted phishing are the more immediate risks. “Being exposed to SSNs and licensing data causes the threat model to rise from simple account takeover, which takes minutes or hours for detection and remediation, into long-term fraud use cases like new account opening or loan application.” If you’ve adopted a pet or have shopped with Petco, be alert to official notices and regard any unsolicited emails, texts, or calls as suspect unless confirmed through a trusted channel.

Arizona Pursues Temu for Alleged Spyware Conduct

The Arizona Attorney General’s Office filed the suit claiming that Temu collects an amount of data that goes far beyond what a shopping app needs, and does so without proper consent, according to reporting in Dark Reading. (The complaint alleges code-level behavior to avoid scanning and change functionality dynamically—qualities that regulators compare to spyware.) Temu denies any wrongdoing and highlights affordability for consumers, though it does not directly address the scope of data collection alleged in the lawsuit.

For users, the problem is trust and permissions. Retail apps frequently ask for permission to access contacts, location, photos, Bluetooth, and sensors that can be commercialized beyond checkout. If you use Temu—or any commerce app, for that matter—review storage permissions, cut off unnecessary background access, and consider deleting apps you don’t use actively. Both Apple and Google offer privacy dashboards, which display what data is accessed and when.

A wrinkled orange Temu package sits in the foreground with a brown cardboard box in the background, all on a light orange surface.

Ransomware Payments in the U.S. Hit Over $4.5B

American organizations have paid more than $4.5 billion in ransoms to criminal groups, according to U.S. Treasury filings reported on by SecurityWeek. Average payments have hovered around $250,000 based on data from the Financial Crimes Enforcement Network (FinCEN), but multimillion-dollar transfers are becoming more common with double extortion tactics that marry file encryption and data theft.

The cost doesn’t end with the ransom. One company publicly attributed the financial cost of its 2023 cyberattack to about $100 million after accounting for operational downtime, legal fees, and recovery expenses that often dwarf any payment. Chainalysis has also observed a resurgence in ransomware earnings, bouncing back from dips on the heels of threat actors modifying playbooks and focusing on healthcare, manufacturing, education, and local government.

How to Lower Your Personal Cybersecurity Risk Today

Behave as if your data is already being shared.

  • Freeze your credit with Equifax, Experian, and TransUnion to prevent new-account fraud.
  • Place fraud alerts if you think your SSN or driver’s license number was compromised.
  • Closely monitor bank and card statements with real-time transaction alerts.
  • Adopt a password manager and turn on multi-factor authentication for email, banking, cloud storage, and carrier accounts.
  • Be wary of “urgent” communications and confirm requests through phone numbers or URLs you check for yourself—not those listed in a message. The Federal Trade Commission’s IdentityTheft.gov discusses what to do if you suspect misuse.

On mobile, cut your app permissions to the bone.

  • If a shopping app requests your location, Bluetooth, or contacts, ask why.
  • Use your operating system’s privacy report to catch suspicious-looking behavior.
  • Remove apps you don’t use anymore.

Guidance for Organizations Facing Cyber Threats

  • Assume breach.
  • Keep offline, immutable backups—and test restoration regularly—since recovery is the best defense against extortion.
  • Quickly patch public-facing systems, enforce MFA across the organization, and deploy least-privilege access with network segmentation to prevent the spread of malware.
  • Invest in endpoint detection and response with 24/7 monitoring, log retention, and threat hunting.
  • Run tabletop exercises involving executive decision-makers so legal, communications, and IT are aligned under pressure.
  • The FBI and CISA are clear on not paying ransoms; there is no guarantee cybercriminals will decrypt files, and payments can violate sanctions and incentivize future attacks.
  • Close the human loop. Phishing remains a leading entry point, so replicate, monitor, and reward regular ongoing phishing training. Provide quick reporting avenues for suspicious activity and incentives for early escalation—minutes count when ransomware actors are already inside your network.
Exit mobile version