Pet wellness retailer Petco has taken portions of its Vetco Clinics website offline following a significant data breach that exposed sensitive customer and pet information. The vulnerability, first reported by TechCrunch, allowed unauthorized access to records including medical histories, prescriptions, and personal identification details. Petco confirmed an investigation is underway but has released limited details about the scope of the incident.
The exposed data, relating to Vetco customers, included names, addresses, phone numbers, email addresses, and detailed veterinary records for their pets. This is the third reported security incident involving Petco this year, raising concerns about the company’s overall cybersecurity posture and data protection practices.
How the Vetco Data Breach Occurred
TechCrunch discovered the security lapse stemmed from a vulnerability in how Vetco’s website generates PDF documents containing customer records. The page responsible for creating these PDFs was publicly accessible, lacking the necessary security protocols to restrict access to authorized users.
Specifically, the website allowed access to sensitive files by simply modifying the URL to input a customer’s unique identification number. Because these numbers appear to be sequential, researchers were able to access records beyond a single customer by incrementally changing the ID. Initial testing indicated potentially millions of customer records were vulnerable.
This type of vulnerability is known as an insecure direct object reference (IDOR), a common web security flaw. IDOR errors occur when an application provides direct access to objects based on user-supplied input without proper authorization checks.
Timeline of Discovery and Response
TechCrunch initially alerted Petco to the issue on Friday. The company acknowledged the potential data exposure several days later, on Tuesday, after receiving follow-up communication including examples of exposed customer files. A Petco spokesperson stated the company is “implementing additional measures to further strengthen the security of our systems,” but did not provide specifics.
The company also indicated it is currently assessing whether data was actually extracted during the period the vulnerability existed. Logs that would definitively confirm data exfiltration were not mentioned. Worryingly, at least one customer record was indexed by Google, meaning it was publicly discoverable through a simple search.
Petco’s History of Data Security Incidents
This latest data leak is not an isolated event for Petco. Earlier in 2023, the company was reportedly targeted by hackers associated with the Scattered Lapsus$ Hunters group, who allegedly stole data from a Salesforce database used by Petco. The hackers demanded ransom payments to prevent the release of the stolen information.
In September, Petco disclosed a separate security incident that it identified internally. The company attributed this breach to a misconfigured software application that inadvertently made certain files accessible online. This earlier incident involved potentially sensitive personal information, including Social Security numbers, driver’s license details, and financial data.
While Petco has not publicly stated the number of individuals affected by the September breach, California law mandates disclosure for incidents impacting over 500 residents of the state. The company has not indicated whether this threshold was met.
The repeated nature of these incidents raises questions about the effectiveness of Petco’s data security protocols and the resources allocated to protecting customer information. Experts in cybersecurity emphasize the importance of regular security audits, robust access controls, and prompt patching of vulnerabilities to prevent such breaches.
Related concerns include the potential for identity theft and misuse of sensitive pet medical information. The exposure of microchip numbers, for example, could potentially be exploited.
Petco has not yet announced a timeline for fully resolving the vulnerabilities or providing comprehensive notification to affected customers. The company is expected to provide further updates as the investigation progresses, and regulatory bodies may also initiate inquiries into the matter. It remains to be seen whether these breaches will lead to long-term reputational damage or legal repercussions for the pet wellness giant.
