Petco just confirmed a data breach that exposed customer personal information through a misconfigured software application. The pet retailer disclosed the incident to California's attorney general Wednesday but is keeping crucial details under wraps - including how many customers were affected and exactly what data was compromised. With at least 500 California customers impacted based on state filing requirements, this breach highlights ongoing security vulnerabilities in retail tech infrastructure.
Petco just became the latest retailer to stumble over basic security hygiene. The pet supply giant disclosed Wednesday that a misconfigured software application accidentally made customer files accessible online, though the company is being remarkably tight-lipped about the scope and severity of the breach.
According to a notification letter filed with California's attorney general, Petco discovered "a setting within one of our software applications that inadvertently allowed certain files to be accessible online." The company says it found the issue internally and "immediately took steps to correct the issue and to remove the files from further online access."
But that's where transparency ends. Petco's notification letter conspicuously omits what type of personal information was exposed, how long files were accessible, or how many customers are affected. When TechCrunch pressed for details, spokesperson Ventura Olvera said the company had "provided further information to individuals whose information was involved" but didn't respond to follow-up questions about the scale or nature of the exposed data.
The filing requirements offer some clues about the breach's scope. California law mandates disclosure for incidents affecting 500 or more state residents, suggesting at least that many Golden State customers had their data exposed. Massachusetts received notifications for an unspecified number of residents, while Montana's breach database shows just three affected customers in that state.
The incident adds to a growing list of retail security lapses that trace back to basic configuration errors. Earlier this year, Amazon dealt with similar exposure issues in its advertising platform, while Target and other major retailers have faced scrutiny over customer data handling practices.
What's particularly concerning is Petco's decision to offer free credit and identity monitoring services to victims. Under California law, companies only need to provide these resources when driver's license numbers or Social Security numbers are compromised - suggesting the exposed data was more sensitive than typical customer information like email addresses or purchase history.
