According to Mashable, Petco has confirmed a data breach that exposed a trove of highly sensitive customer information, including names, Social Security numbers, driver’s license numbers, dates of birth, and financial account details. The breach, first detailed in required legal filings to state attorneys general in Texas, California, Massachusetts, and Montana, stemmed from a misconfigured setting in one of the company’s software applications. This setting inadvertently made a number of files publicly accessible online. Petco has not disclosed how many customers were impacted, but the fact that it triggered California’s disclosure threshold—which only applies when 500 or more residents are affected—suggests a significant number. The company, which reported serving over 24 million customers in 2022, has corrected the setting, removed the files, and is offering credit monitoring where required by law.
The real scale is probably massive
Here’s the thing: the most alarming detail isn’t just what was leaked, but the sheer potential scale. Petco saying it serves 24 million customers is a huge red flag. We’re talking about a company with a massive digital footprint. And their refusal to answer basic questions from TechCrunch—like how many people were actually hit or if data was stolen—is a classic corporate deflection move. It basically means the number is bad. The fact that only a “handful” of residents were reported affected in two states, but California’s 500-person threshold was met, tells you this was widespread. This wasn’t a tiny, isolated glitch.
Why this kind of breach is so bad
Look, a leaked email address is one thing. But Social Security numbers and driver’s license info? That’s the crown jewels for identity thieves. That data doesn’t change. You can’t get a new SSN easily. This exposure sets up victims for years of potential fraud, from tax scams to opening new lines of credit. And the cause? A “misconfigured setting.” It sounds so mundane, so stupid. It’s not a sophisticated nation-state hack; it’s often an IT oversight. But the result is just as devastating for the people whose data is now floating around. Petco offering credit monitoring is the bare minimum, a band-aid on a gaping wound. It doesn’t prevent the fraud; it just maybe helps you spot it after the fact.
The patchwork of consumer protection
This case perfectly highlights the messy, state-by-state patchwork of data breach laws in the U.S. Petco is offering identity monitoring “in states where such support is required by law.” So your level of protection literally depends on your zip code. The filings themselves are public because of state laws, like those in Massachusetts and Montana. The article even points out it’s still to be determined if Texas residents get the same help. That’s absurd, right? Your sensitive data is exposed, but whether the company has to give you tools to deal with it depends on local politics. It creates a totally uneven playing field for consumers.
What should you do now?
If you’re a Petco customer, you should assume your data was involved and act accordingly. Don’t wait for a letter. Place a free fraud alert on your credit reports with the three major bureaus. Consider a credit freeze, which is more robust. Scrutinize your bank and credit card statements like a hawk for the foreseeable future. And this is a good reminder for everyone: be wary of what information you give to retailers, even trusted ones. Do they really need your SSN? Probably not. In an era where even basic configuration errors can lead to catastrophe, the less data out there, the better.
