Petco’s vulnerability affected customers’ Social Security numbers, driver’s licenses, and more

Last week, Petco, the pet products and services giant, confirmed that it had suffered a data breach involving customers’ personal information, without specifying what type of data was affected.

On Friday, in a legally required filing with the Texas Attorney General’s Office, Petco said the affected data included: names, Social Security numbers, driver’s license numbers, and financial information such as account numbers, credit or debit card numbers, and dates of birth.

Petco has provided similar legally required notices in California, Massachusetts and Montana. In the last two states, Petco reported one and three residents infected, respectively.

The company did not reveal the exact number of victims in California, where companies are required to disclose violations that involved at least 500 state residents, indicating that there are more victims than this number in the state.

Petco spokesperson Ventura Olvera did not respond to a series of questions sent Monday, which included the total number of customers affected by this incident; Whether Petco had any technical means, including logs, to determine whether any cybercriminals accessed and stole exposed customer data; What and when the specific problem was identified; What application is involved in the incident?

For context, in 2022, Petco said it served more than 24 million customers.

On Friday, Petco spokesperson Ventura Olvera said in a statement to TechCrunch that the company “provided more information to the individuals whose information was involved.”

The California Attorney General posted a sample letter that Petco is sending to its customers. The letter said that Petco discovered an issue with “a setting within one of our software applications that inadvertently allowed access to certain online files,” that the company “immediately took steps to correct the issue and remove the files from further online access,” and that it “corrected” the setting and implemented unspecified “additional security measures.”

The company offers free credit monitoring and identity theft services to victims in California, Massachusetts, and Montana. Under California law, for example, companies must provide these services if a data breach victim’s driver’s license number or Social Security number is compromised. It’s not clear if Petco also provides these services to victims in Texas.