Petco recently confirmed a major data breach caused by a misconfigured setting in one of its software applications, which left sensitive files publicly accessible online. Here are the key details:

What Happened

  • The breach occurred due to an application misconfiguration, not a direct hack.
  • Files containing personal data were exposed online for an unknown period before Petco discovered and fixed the issue.
  • Some reports suggest the vulnerability may have been active for several months before being addressed.

Data Exposed
According to filings with state attorneys general (Texas, California, Massachusetts, Montana), the compromised information includes:

  • Names
  • Social Security numbers (SSNs)
  • Driver’s license numbers
  • Dates of birth
  • Financial details (bank account numbers, credit/debit card numbers).

Scope

  • Petco has not disclosed the total number of affected customers.
  • California’s disclosure threshold (500+ residents) was triggered, suggesting a significant impact there.
  • Petco serves over 24 million customers, so the potential scale is large.

Response

  • Petco says it removed the exposed files, corrected the misconfiguration, and implemented additional security measures.
  • The company is offering free credit and identity theft monitoring to affected individuals in states where required by law.

Risks & Implications

  • Exposure of SSNs and driver’s license numbers poses long-term identity theft risks, including tax fraud and synthetic identity schemes.
  • A class action lawsuit has reportedly been filed against Petco over the breach.

Timeline of Petco Security Lapse

  • Discovery (Late November 2025)
    Petco found the issue during an internal security review. A misconfigured setting in one of its software applications made certain files publicly accessible online.
  • Public Disclosure (December 3, 2025)
    Petco filed a notice with the California Attorney General, officially confirming the breach and its root cause.
  • Further Details Released (December 5–8, 2025)
    Reports revealed that exposed data included names, Social Security numbers, driver’s license numbers, dates of birth, and financial account details. Notifications were sent to affected individuals in California, Texas, Massachusetts, and Montana.
  • Current Status (December 2025)
    Petco has corrected the misconfiguration, removed exposed files, implemented additional security measures, and is offering free credit and identity theft monitoring to impacted customers.

What Petco Customers Should Do

  1. Enroll in Petco’s Free Credit Monitoring (details in your notification letter).
    Take advantage of the identity theft protection offered.
  2. Place a Credit Freeze or Fraud Alert
    Contact major credit bureaus (Experian, Equifax, TransUnion) to prevent new accounts from being opened in your name.
  3. Monitor Financial Accounts
    Regularly check bank and credit card statements for unauthorized transactions.
  4. Review Your Credit Report
    Obtain free reports from AnnualCreditReport.com and look for suspicious activity.
  5. Report Identity Theft Immediately
    If you notice fraudulent activity, file a report at IdentityTheft.gov and notify your financial institutions.

TechCrunch:
https://techcrunch.com/2025/12/08/petcos-security-lapse-affected-customers-ssns-drivers-licenses-and-more/

Mashable:
https://mashable.com/article/petco-breach-customer-data

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!