Petco confirms major data breach exposing customer data
State filings reveal exposure of names, Social Security numbers and financial data tied to a misconfigured software setting; company offers monitoring in California, Massachusetts and Montana, with unclear coverage for Texas residents.
Petco has confirmed a data breach that exposed sensitive customer information after a software configuration allowed certain files to be accessible online. The retailer disclosed the incident in state regulatory filings after identifying the configuration in one of its applications.
According to the Texas attorney general's office, the exposed data included names, Social Security numbers, driver's license numbers, financial account details, credit or debit card numbers and dates of birth. California, Massachusetts and Montana filings confirm additional affected residents. California requires notification for breaches involving 500 or more state residents; Petco did not disclose the total number of affected customers, suggesting the figure could be larger. In 2022, Petco said it served more than 24 million customers. The company said it notified individuals whose information was involved and provided a sample notice in California that described how a software setting left files accessible online. Petco said the files have been removed, the setting corrected and additional security measures put in place.
Petco says the breach has been contained and that it began an investigation while notifying affected individuals. In a statement provided to CyberGuy, a company representative said, "We recently identified a setting in one of our applications which inadvertently made certain Petco files accessible online. Upon identifying the issue, we took immediate steps to correct the error and began an investigation. We notified individuals whose information was involved and continue to monitor for further issues. We take this incident seriously. To help prevent something like this from happening again, we have taken and will continue to take steps to enhance the security of our network."
What this breach means for consumers is that exposure of government IDs, financial numbers and birth dates can create long-term risks. Criminals can use this information to open new accounts, take over existing ones or pass identity checks. Even if no fraud appears immediately, compromised data can sit in criminal markets for years.
To reduce risk, experts suggest several protective steps. Start with placing a credit freeze with the three major credit bureaus—Equifax, Experian and TransUnion. A freeze blocks new credit accounts in a person’s name and prevents lenders from opening loans or cards using stolen information. Some states offer freezes for free; consumers should verify costs and procedures with each bureau.
Beyond the main bureaus, consider two additional freezes with ChexSystems to block new checking or savings accounts and with NCTUE to curb fraudulent attempts to open phone, cable or utility accounts. Turn on account alerts for banking, credit cards and online shopping, as these can help detect suspicious activity early. A password manager can generate unique passwords for each account, reducing the risk of credential stuffing attacks that reuse passwords across sites. If available, enroll in credit monitoring or identity theft monitoring, as offered in some states, to catch fraud months or years after a breach.
If you discover your email or other data has appeared in known breaches, act quickly by changing reused passwords and securing accounts with new, unique credentials. Data removal services can help, though they are not inexpensive and cannot guarantee complete erasure from the internet. Reducing exposed information can make it harder for criminals to tie breaches to you on the dark web.
Phishing remains a common follow-up tactic after breaches. Slow down and verify messages before clicking links, and ensure devices run up-to-date antivirus software that can block malware and alert users to risky messages.
Petco notes that it has offered free credit and identity theft monitoring in some states, including California, Massachusetts and Montana, with the status of Texas residents unclear. The company said it would continue to monitor for further issues as it enhances security across its network.
The timeline and scope of the incident remain under review by state regulators and the company. As with many data breaches, the exact number of affected customers may not be fully disclosed until regulator investigations are complete. The breach underscores ongoing privacy and security challenges facing retailers that handle large volumes of consumer data in an increasingly digital environment.
IMAGE AFTER PARAGRAPH 4: 
Industry observers note that while technical fixes can close exposed gaps, the human element—phishing, social engineering and identity theft—remains a persistent risk after any breach. Consumers are advised to review account statements closely, monitor credit reports for unusual activity and report suspicious requests for information promptly. Regulators may require further disclosures as investigations progress, and Petco’s security enhancements will likely be scrutinized in the coming months.
In closing, Petco maintains that the vulnerability has been remedied and that it is expanding safeguards to prevent similar incidents. The company also emphasizes ongoing compliance with state reporting requirements and continued communication with affected customers as more details emerge. As the technology and AI landscape evolves, this incident serves as a reminder of the importance of robust data protection practices for retailers handling vast customer datasets.