Petco, the prominent pet products and services company, publicly disclosed a data breach on Wednesday by filing a notice with the California attorney general. The company stated that the breach involved the inadvertent exposure of its customers’ personal information. This disclosure was made after the state published a sample of the notification letter that Petco is sending to the individuals who were impacted by the security lapse.
In the official notification letter, Petco explained that it had identified “a setting within one of our software applications that inadvertently allowed certain files to be accessible online.” The company further noted that it discovered the issue internally and independently, and “immediately took steps to correct the issue and to remove the files from further online access.” However, the letter itself was notably vague and did not specify the exact categories of customers’ personal information that were exposed because of the security incident.
When questioned about the incident, Petco spokesperson Ventura Olvera stated that the company had “provided further information to individuals whose information was involved.” Olvera declined to answer several key follow-up questions from the press, including the total number of customers who were affected by the breach and the specific types of personal data that were compromised during the exposure.
The requirement for companies to disclose data breaches in California only applies to incidents involving 500 or more state residents, strongly suggesting that at least 500 Petco customers within California were affected by the breach. Furthermore, based on information available on the state’s website, Petco has also reportedly notified an unspecified number of individuals in Massachusetts, in addition to three customers who reside in the state of Montana.
As a corrective measure, the company has stated that it is providing free credit and identity theft monitoring services to those who have become victims of the security lapse. This offer is likely influenced by California law, which mandates that companies provide resources to credit monitoring firms if sensitive identifiers like a person’s driver’s license number or Social Security number are part of the compromised data.
Reference:
