Petco Takes Vetco Site Offline After Data Exposure

Bill Thompson
By Bill Thompson
News
7 Min Read

Pet wellness seller Petco has shut down part of its Vetco Clinics website after a security lapse leaked customer records across the open web — including names, addresses, and detailed pet medical histories.

Some customer files were indexed by a major search engine and were searchable with basic queries before the takedown.

Table of Contents
A white Vetco van parked in a Petco parking lot.

What Happened: How a Simple IDOR Exposed Pet Records

Investigators and security researchers say that the flaw is a type of insecure direct object reference, or IDOR. In reality, the Vetco site failed to check if a user had the right to see a file. Anyone could pull up the record of another customer by changing a number in the web address, and numbers were sequentially assigned, so it was easy to guess other customers’ records.

Parts of the site that process records were later shut down. The company has not indicated whether log files are enough to determine which files were accessed, or who did the accessing — a critical question facing both customers and regulators.

What Data Was Exposed in the Vetco Clinics Incident

The files that were exposed included:

  • Customer names, home addresses, email addresses, and phone numbers.
  • Clinic name and address, veterinarian name, service date, and itemized charges.
  • Request/consent forms with signatures.
  • Medical details: examinations, test results, summaries of diagnoses; animal vital statistics and prescription information; pet names; species and breed; sex; age of the patient (animal); date of birth where available; and microchip number, if applicable.

While pet health information is not protected by the federal medical privacy rules created for humans, the owner data contained in these records is of a very sensitive nature. Such information, when it is linked with clinic and treatment information, can be used to drive targeted phishing campaigns, identity verification fraud, or social engineering. If used inappropriately, microchip numbers can make it difficult to manage owner verification and recovery processes for registries.

A Pattern of Security Incidents at Petco and Vetco

The exposure of the website comes after other security problems for the company. Earlier, hackers affiliated with a group called Scattered Lapsus$ Hunters had boasted to have stolen a large trove of customer data from a database hosted with a leading cloud provider and were extorting the company to keep it off the internet. The company also reported a subsequent breach, resulting from a faulty software setting, that had made some files public, including Social Security numbers, driver’s licenses, and payment card information.

The company did not disclose how many people that totaled. In California, companies must report intrusions to authorities and for public disclosure if at least 500 residents were affected by a breach, which is frequently an indication that the exposure spreads beyond one state.

The Vetco Vaccination Clinic logo, featuring vetco in white sans-serif font with vaccination clinic below it in a smaller, similar font, centered on a dark blue background. The image has been resized to a 16:9 aspect ratio.

Why IDOR Still Happens Despite Common Security Controls

Broken Access Control (which IDOR falls into) sits at number five on the OWASP Top 10 risks to web applications. The error itself is rather subtle: it occurs when developers lose track of who is identified, and they omit an authorization check at the level of individual objects. That mix transforms internal file references into a public index. Yet, for such a simple flaw, it stubbornly remains pervasive across various sectors because it can easily escape simplistic ‘functional’ testing and only gets caught by adversaries.

These defenses include:

  • Checking access on every object request.
  • Using non-sequential or opaque IDs.
  • Applying tight rate limits and anomaly detection.
  • Running focused testing around authorization controls within continuous deployment pipelines.
  • Applying the same controls on API gateways and backend services, as IDOR issues are more common on APIs than web pages.

How Search Indexing Compounds Risk After Data Exposures

When sensitive documents are uploaded to the public internet, search engines can find and index them quickly, even if they’re not linked from common pages. Deleting the source and requesting deindexing help, but there are still caches and third-party scrapers that could prolong the exposure. Search engine monitoring and takedown escalations for security teams are a component of breach response, not an afterthought.

What Customers Can Do Right Now to Protect Their Data

Customers who have used in-store or pop-up clinic services are advised to watch for suspicious emails or texts pertaining to recent visits, pets’ names, or treatment information.

  • Consider adding a fraud alert with the three major credit bureaus.
  • Monitor financial statements for suspicious order activity, especially if personal data (PD) was also compromised in previous breaches.
  • If a microchip number was revealed, contact the chip registry to ensure contact information is up to date.

State privacy laws give customers the right to ask companies for details about the data they store and, where possible, request deletion of any data tied to the customer’s name or other personal information, as well as with whom that data is shared. If identity documents or financial information were exposed in a related breach, it might be time to consider credit freezes and changing IDs.

What to Watch Next as Investigations and Lawsuits Loom

Anticipate scrutiny by state attorneys general and consumer protection regulators, who increasingly consider repeated breaches and preventable access control failures to be evidence of an ineffective security program. Class-action lawsuits are also frequently filed following exposures of signatures, medical information, or financial records. Customers and investors will expect a clear timeline of exposure, the number of records involved, third-party validation that your remediation was effective, and stronger guardrails around health care data and payment systems.

The lesson here is a simple one: A basic access control bypass can leak deeply personal data onto the public web. At a time when Broken Access Control is still the number one risk for web applications, companies that handle pet wellness services have as much of an obligation to ship quickly and verify every access, every time as hospitals and banks.

Bill Thompson
ByBill Thompson
Bill Thompson is a veteran technology columnist and digital culture analyst with decades of experience reporting on the intersection of media, society, and the internet. His commentary has been featured across major publications and global broadcasters. Known for exploring the social impact of digital transformation, Bill writes with a focus on ethics, innovation, and the future of information.
Latest News