Petco has acknowledged a security lapse that exposed customer information, such as Social Security numbers and driver’s license numbers, which was left out in the open after files connected to one of its online service settings were publicly accessible.
The company has alerted public officials in several states and is providing identity protection services to consumers affected in some states.
- What Petco Says Happened in the Misconfiguration Incident
- Data Potentially at Risk in Petco’s Misconfiguration Incident
- Scope of the Breach and Notifications to U.S. States
- Why This Breach Matters for Customers and Organizations
- Here’s What Customers Should Do Now to Protect Themselves
- The Retail Security Proposition and Defensive Best Practices
What Petco Says Happened in the Misconfiguration Incident
In notices that it filed with state regulators, the retailer said a setting in one of its applications was not closed and allowed some files to be publicly reachable. Petco says it removed the files from online access, fixed the setting and is taking extra steps to secure them.
The company hasn’t said how long the files were exposed, how many customers were affected, or whether access logs exist that demonstrate any confirmed data exfiltration. That opacity is a hallmark of misconfiguration incidents, among which it’s common to lack visibility into who was granted access and when.
Data Potentially at Risk in Petco’s Misconfiguration Incident
Regulatory filings say the exposed data could include:
- Names
- Social Security numbers
- Driver’s license numbers, dates of birth, and other information from driver’s licenses
- Bank account numbers
- Financial-transaction card information
Not all people have been exposed in every category, but the inclusion of SSNs and government IDs exacerbates long-term identity theft risks.
When payment cards are exposed, they frequently prompt the issuer to reissue as well as watch for fraud, whereas SSNs and birth dates can be leveraged for many years for tax fraud, unauthorized loans, and synthetic identity schemes. The Federal Trade Commission notes that these traits are especially attractive to crooks because they rarely change.
Scope of the Breach and Notifications to U.S. States
Petco sent notices to the attorneys general of Texas, California, Massachusetts, and Montana. Filings in Massachusetts and Montana name relatively few affected residents, while California’s 500-resident threshold for disclosure hints at a larger footprint there. The number of affected customers has not been disclosed.
The California sample letter details free credit and identity monitoring for affected residents — following state law when it involves Social Security numbers or driver’s license numbers. So far, it is unclear if or when all affected customers in other states are being offered the same service.
For context, Petco has reported serving more than 24 million customers in the past, which suggests that even a fraction of its user base would make quite an impression.
Why This Breach Matters for Customers and Organizations
Cloud and web application misconfigurations are proven to be one of the leading causes of data exposures for organizations across markets. Verizon’s Data Breach Investigations Report has consistently found that error-based events such as open storage and access-control blunders continue to plague organizations. As soon as files are accessible to the public, they can be quickly discovered by search engines and automated scanners.
The economic toll can be crushing. IBM’s latest Cost of a Data Breach Report measures the global average cost per breach at around $4.88M, with costs higher when customer PII is compromised. The most difficult costs to estimate are reputational: customer churn and lost trust, especially when high-value identity items like SSNs are spilled.
Here’s What Customers Should Do Now to Protect Themselves
Take these steps if you believe you were affected:
- Sign up for any free credit and identity monitoring that Petco is offering.
- Place a credit freeze with Equifax, Experian, and TransUnion to stop new credit applications; consider a ChexSystems freeze to prevent new bank accounts from being opened in your name.
- Check bank and card statements, configure transaction alerts, and order replacement cards if informed about possible exposure.
- If your driver’s license number was included, contact your state DMV to inquire about replacing the ID or flagging the record.
- To minimize the risk of tax refund fraud due to exposure of your SSN, get an IRS Identity Protection PIN.
- Change your Petco account password and turn on multifactor authentication, particularly if you used the same password on other sites.
- Promptly report a potential case of identity theft at IdentityTheft.gov and report any scams.
The Retail Security Proposition and Defensive Best Practices
Retailers creating, maintaining, and using payment data and loyalty profile records should assume they are at risk of public access and build defenses as such. The Cloud Security Alliance and SANS Institute also suggest robust access controls, ongoing configuration monitoring, strict bucket and share permissions, as well as data loss prevention to prevent exposing sensitive information.
Data minimization helps, too: confine where you store SSNs and government IDs, segregate them from typical systems, and encrypt them at rest and in transit. And just as critically, make sure that encryption keys and access policies are being enforced; encrypting data won’t do much good when files are publicly accessible.
Customers should act as though the data can be exploited until Petco publishes more comprehensive results. But the best defense against downstream fraud is preventive measures that can be taken today — freezes, monitoring, and strong account security.
