Pet products and services giant Petco disclosed a data breach on Wednesday in a filing with California’s attorney general, which the company says involves the personal information of its customers.
The state published a sample of the notification letter that Petco is sending to customers affected by the breach. In the letter, Petco said that it identified “a setting within one of our software applications that inadvertently allowed certain files to be accessible online,” adding that the company discovered the issue on its own, and “immediately took steps to correct the issue and to remove the files from further online access.”
The letter, however, does not specify what type of customers’ personal information was exposed during the security lapse.
Petco spokesperson Ventura Olvera told TechCrunch that the company had “provided further information to individuals whose information was involved.”
Olvera did not respond to a series of follow-up questions, including how many customers were affected by the incident, and what type of personal data was exposed.
California law requires that companies disclose data breaches involving 500 or more state residents, suggesting at least 500 Petco customers in California are affected. Petco has also notified an unspecified number of people in Massachusetts, and three people in the state of Montana, according to the state’s website.
The company said it is also offering free credit and identity theft monitoring services to the victims. Un
Source: https://techcrunch.com/2025/12/05/petco-confirms-security-lapse-exposed-customers-personal-data/
Petco cybersecurity rating report: https://www.rankiteo.com/company/petco-animal-supplies-inc-
"id": "PET1764951536",
"linkid": "petco-animal-supplies-inc-",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least 500 in '
'California, '
'unspecified in '
'Massachusetts, and '
'3 in Montana',
'industry': 'Pet Products and Services',
'location': 'United States',
'name': 'Petco',
'size': None,
'type': 'Company'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Free credit and identity theft '
'monitoring services offered to victims',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personal '
'information)',
'type_of_data_compromised': 'Personal '
'information'},
'description': 'Petco disclosed a data breach involving the '
'personal information of its customers. The '
'company identified a misconfigured setting in '
'one of its software applications that allowed '
'certain files to be accessible online. The issue '
'was discovered and corrected internally, and the '
'files were removed from further online access.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Personal information of '
'customers',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (free credit and '
'identity theft monitoring '
'offered)',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Software application with '
'misconfigured settings'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Corrected the '
'misconfigured '
'setting and '
'removed files '
'from online '
'access',
'root_causes': 'Software '
'misconfiguration '
'leading to '
'inadvertent file '
'accessibility'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'TechCrunch',
'url': None},
{'date_accessed': None,
'source': 'California Attorney General',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': 'California '
'data breach '
'notification '
'law (if 500+ '
'residents '
'affected)',
'regulatory_notifications': 'Filed '
'with '
'California’s '
'attorney '
'general, '
'Massachusetts, '
'and '
'Montana'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Notification letters '
'sent to affected '
'customers',
'containment_measures': 'Removed files from further '
'online access',
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Corrected the '
'misconfigured setting',
'third_party_assistance': None},
'title': 'Petco Data Breach Due to Inadvertent File '
'Accessibility',
'type': 'Data Breach',
'vulnerability_exploited': 'Inadvertent file accessibility due '
'to software misconfiguration'}