Petco has confirmed that a recent security lapse exposed highly sensitive customer data, including Social Security numbers, driver’s license details, and financial information, raising fresh concerns about data protection practices at major consumer brands. The pet products and services retailer initially acknowledged the incident last week but stopped short of explaining exactly what kind of personal information was involved.
That clarity arrived days later through legally required disclosures filed with several U.S. state authorities. In a notice submitted to the Texas attorney general’s office, Petco revealed that the exposed data went far beyond basic contact details. According to the filing, compromised information included customer names, Social Security numbers, driver’s license numbers, dates of birth, and financial data such as bank account numbers and credit or debit card details. This combination of identifiers significantly increases the risk of identity theft and financial fraud for those affected.
Similar breach notifications were also filed in California, Massachusetts, and Montana. In Massachusetts and Montana, Petco reported that one and three residents were affected, respectively. California’s filing is more telling. State law requires public disclosure only when a breach impacts at least 500 residents, yet Petco did not specify the exact number of affected individuals in California. That omission strongly suggests that the total number of victims in the state exceeds the reporting threshold, potentially by a wide margin.
Petco has not provided a nationwide figure for how many customers were impacted. Questions sent to company spokesperson Ventura Olvera regarding the total number of affected individuals, the timeline of the incident, whether logs could confirm unauthorized access, and which application was involved went unanswered. This lack of detail has left customers and regulators with unanswered questions about the scope and severity of the breach.
The absence of transparency is especially notable given Petco’s size. In 2022, the company reported serving more than 24 million customers, meaning even a limited configuration error could expose data at scale if left undetected. In a brief statement provided to TechCrunch, Olvera said Petco had “provided further information to individuals whose information was involved,” but did not elaborate on how many customers received notifications or what guidance they were given beyond standard credit monitoring.
More details emerged through a sample notification letter published by the California attorney general’s office. According to the letter, Petco discovered that “a setting within one of our software applications inadvertently allowed certain files to be accessible online.” The company said it immediately corrected the misconfiguration, removed the files from public access, and implemented additional security measures. However, the nature of those safeguards has not been disclosed, leaving uncertainty about whether similar vulnerabilities could exist elsewhere in Petco’s systems.
To mitigate the impact, Petco is offering free credit monitoring and identity theft protection services to affected customers in California, Massachusetts, and Montana. In California, such services are legally required when breaches involve Social Security numbers or driver’s license data. It remains unclear whether customers in Texas or other states are receiving similar protections, despite filings confirming that Texas residents were among those affected.
This incident underscores a growing pattern in data breaches linked not to sophisticated cyberattacks, but to internal configuration errors that expose sensitive files to the open internet. For consumers, the consequences can be just as severe, particularly when the exposed data includes permanent identifiers such as Social Security numbers. For Petco, the breach raises broader questions about oversight, incident detection, and whether large retailers are moving quickly enough to secure the vast volumes of personal information they collect.
As regulators continue to scrutinize the incident and customers await clearer answers, the Petco breach serves as another reminder that even trusted household brands are not immune to security failures—and that transparency after such incidents is becoming just as important as prevention.
