Pet supplies and services giant Petco acknowledged last week that it had suffered a data breach involving customers' personal information, but did not say what type of data was affected.
Petco reported Friday in a legal filing with the Texas Attorney General's Office that the affected data includes names, social security numbers, driver's license numbers, financial information such as account numbers, credit or debit card numbers, and dates of birth.
Petco filed similar legally required notices in California, Massachusetts, and Montana. In the latter two states, Petco reported one and three residents affected, respectively.
The company did not disclose the exact number of victims in California, which requires companies to disclose data breaches involving at least 500 residents, suggesting there are many more victims.
Petco spokeswoman Ventura Olvera did not respond to a series of questions Monday, including how many customers were affected by the incident. Whether Petco has the technical means, including logs, to determine whether cybercriminals have accessed and stolen customer public data. When and how were specific problems identified? And what was the application involved in the incident?
For context, Petco said in 2022 it served more than 24 million customers.
On Friday, Petco spokesperson Ventura Olvera said in a statement to TechCrunch that the company has “provided further information to the individuals involved.”
tech crunch event
San Francisco | October 13-15, 2026
The California Attorney General's Office released a sample letter that Petco is sending to customers. The message states that Petco discovered an issue with “a setting in one of our software applications that incorrectly allowed access to certain files online,” and that the company “immediately took steps to correct the issue and remove the file from future online access,” and that it had “corrected” the setting and implemented unspecified “additional security measures.”
The company offers free credit and identity theft monitoring services to victims in California, California, Massachusetts, and Montana. California law, for example, requires companies to provide these services if a data breach victim's driver's license number or Social Security number is compromised. It is unclear whether Petco also offers these services to victims in Texas.