**Petco Vetco Clinics Expose Customer and Pet Data in Latest Security Lapse**
Petco has taken part of its Vetco Clinics website offline after a security flaw exposed sensitive customer and pet records to the open web. The incident, discovered by TechCrunch and reported to the company on Friday, allowed unauthorized access to medical histories, prescription details, and personal information without requiring login credentials.
The exposed records included customer names, addresses, emails, phone numbers, clinic visit locations, veterinary assessments, and financial details. Pet data—such as names, breeds, ages, microchip numbers, and medical vitals—was also compromised. At least one record, dated mid-2020, was indexed by Google, making it publicly searchable.
The vulnerability stemmed from an insecure direct object reference (IDOR) flaw in Vetco’s PDF-generating system. The portal, hosted at petpass.com, lacked proper authentication, enabling anyone to access files by manipulating customer ID numbers in the URL. Since these IDs are sequential, millions of records may have been exposed. TechCrunch confirmed the issue by testing intervals of 100,000 customer numbers.
Petco acknowledged the breach in a statement on Tuesday, stating it had implemented additional security measures but did not confirm whether logs could determine if data was exfiltrated. The company declined to comment on the duration of the exposure.
This marks Petco’s third reported data breach in 2025. Earlier incidents included a ransomware attack by the Scattered Lapsus$ Hunters hacking group and a separate leak in September involving Social Security numbers, driver’s licenses, and payment card details. The latest Vetco incident appears unrelated to the prior breaches.
Petco cybersecurity rating report: https://www.rankiteo.com/company/petco-animal-supplies-inc-
"id": "PET1765476698",
"linkid": "petco-animal-supplies-inc-",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions (potentially)',
'industry': 'Pet Wellness and Veterinary Services',
'location': 'United States',
'name': 'Petco',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Insecure Direct Object Reference (IDOR)',
'customer_advisories': 'Public statement issued',
'data_breach': {'file_types_exposed': ['PDF'],
'number_of_records_exposed': 'Millions (potentially)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Visit summaries',
'Medical histories',
'Prescription records',
'Vaccination records',
'Customer names',
'Home addresses',
'Email addresses',
'Phone numbers',
'Clinic locations',
'Medical assessments',
'Tests',
'Diagnoses',
'Costs of goods',
'Veterinarian names',
'Consent forms',
'Owner signatures',
'Dates of service',
'Animal names',
'Species and breed',
'Sex',
'Age',
'Date of birth',
'Microchip numbers',
'Medical vitals']},
'date_detected': '2025-06-13',
'date_publicly_disclosed': '2025-06-17',
'description': 'Petco took a portion of its Vetco Clinics website offline '
'after a security lapse exposed customers’ personal '
'information, including medical records, to the open web. The '
'vulnerability allowed unauthorized access to customer records '
'without login credentials.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Customer and pet medical records, personal '
'information',
'downtime': 'Partial website takedown',
'identity_theft_risk': 'Yes',
'operational_impact': 'Investigation and remediation efforts',
'systems_affected': 'Vetco Clinics website (petpass.com)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for stricter access controls and regular security '
'audits to prevent IDOR vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Additional security '
'measures implemented, '
'partial website takedown',
'root_causes': 'Insecure direct object reference '
'(IDOR) vulnerability due to '
'improper access controls on '
'PDF-generating page'},
'recommendations': ['Implement proper access controls for sensitive data',
'Conduct regular security audits',
'Enhance monitoring of data access',
'Notify affected customers promptly'],
'references': [{'date_accessed': '2025-06-17',
'source': 'TechCrunch',
'url': 'https://techcrunch.com'}],
'regulatory_compliance': {'regulations_violated': ['California Data Breach '
'Notification Law']},
'response': {'communication_strategy': 'Public statement, customer '
'notifications',
'containment_measures': 'Partial website takedown, additional '
'security measures',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Strengthening security of systems'},
'title': 'Petco Vetco Clinics Data Exposure',
'type': 'Data Exposure',
'vulnerability_exploited': 'Improper access controls on PDF-generating page'}