Last week, pet products and services giant Petco confirmed it had suffered a data breach involving customers’ personal information, without specifying what type of data was affected.
On Friday, in a legally required filing with the Texas attorney general’s office, Petco said the affected data included names, Social Security numbers, driver’s license numbers, financial information such as account numbers, credit or debit card numbers and dates of birth.
Petco filed similar legally required notices in California, Massachusettsand Montana. In the latter two states, Petco said a and three affected residents, respectively.
The company did not disclose the exact number of victims in California, where companies are required to disclose breaches involving at least 500 state residents, suggesting there are more victims than that number in the state.
Petco spokesman Ventura Olvera did not respond to a series of questions sent Monday, which included how many customers in total were affected by this incident. whether Petco has technical means, including logs, to determine whether cybercriminals accessed and stole exposed customer data; what and when the matter was identified; and what was the app involved in the incident.
For context, in 2022, Petco he said served more than 24 million customers.
On Friday, Petco spokesman Ventura Olvera said in a statement to TechCrunch that the company “provided further information to individuals whose information was involved.”
Techcrunch event
San Francisco
|
13-15 October 2026
Attorney General of California posted a sample letter that Petco sends to its customers. The message said Petco had discovered a problem with “a setting in one of our software applications that inadvertently allowed certain files to be accessed online,” that the company “immediately took steps to correct the problem and remove the files from further online access,” and that it had “corrected” the setting and implemented unspecified “additional security measures.”
The company offers free credit and identity theft monitoring services to victims in California, Massachusetts and Montana. Under California law, for example, companies must provide these services if a data breach victim’s driver’s license number or Social Security number is compromised. It is unclear whether Petco also offers these services to victims in Texas.
