Pet wellness company Petco has taken its Vetco Clinics website offline following a significant security breach that exposed the personal information of numerous customers. The exposure was first reported by TechCrunch, which alerted Petco to the vulnerability allowing sensitive data to be accessed without user login credentials.
The breach permitted anyone with internet access to download customer records from Vetco’s website. Petco confirmed its investigation into the incident but refrained from providing further details. Initial findings revealed that at least one customer record was indexed by Google, making it possible for individuals to discover the compromised data through search queries. These records contained sensitive information, including visit summaries, medical histories, and vaccination records for both customers and their pets.
The files accessed during the breach included a variety of personal details: customer names, home addresses, email addresses, phone numbers, and the location of the Vetco clinic where services were rendered. Additionally, the records detailed medical assessments, tests, diagnoses, costs of services, names of veterinarians involved, consent forms, and even the pets’ names, species, breeds, ages, and microchip numbers, if registered.
TechCrunch identified the breach on a Friday and reported it to Petco, which acknowledged the issue the following Tuesday after the publication provided evidence of the exposed files. Ventura Olvera, a spokesperson for Petco, stated that the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems.” However, Petco did not provide specific evidence to support these claims.
The vulnerability was traced to how the Vetco website generates PDF documents for customers. The customer portal, located at petpass.com, was supposed to be secure; however, TechCrunch discovered that the PDF generation page was publicly accessible. This oversight allowed anyone to access sensitive customer files by simply modifying the web address to include a customer’s unique identification number. Because these numbers are sequential, it was relatively easy for someone to access records of multiple customers by changing the number slightly.
The breach is categorized as an insecure direct object reference (IDOR), a common security flaw that permits unrestricted access to files on a server without adequate checks to verify user permissions. While it remains unclear how long the records were exposed, the record indexed on Google was dated mid-2020, indicating a potentially long-standing vulnerability.
This incident marks Petco’s third data breach in 2023. Earlier this year, hackers linked to the Scattered Lapsus$ Hunters group reportedly stole extensive data from a database hosted by Salesforce, demanding ransom payments from affected companies to prevent the release of sensitive information. In September, Petco disclosed a separate data breach, which the company attributed to a configuration issue within its software that inadvertently exposed certain files online. This breach involved sensitive customer information, including Social Security numbers, driver’s licenses, and financial details such as debit and credit card numbers.
While Petco has not disclosed the number of individuals affected by the September breach, California law mandates public disclosure when more than 500 residents are impacted. The latest data exposure involving Vetco appears to be a distinct incident, as Petco had begun notifying customers about the previous breach several months prior.
As Petco continues its investigation into the recent security failure, the company faces pressure to enhance its data protection measures to prevent further incidents and safeguard customer information effectively.
