Petco’s Vetco Website Breach Exposes Customer Data

A significant security lapse on the Petco Vetco Clinics website has exposed sensitive customer and pet information to the open internet. The company has taken a portion of the affected site offline following an investigation prompted by external reporting. This incident marks the third major data security event for the pet wellness retailer this year, raising serious concerns about its data protection practices.

The exposed data was extensive, containing highly personal details. Customer records included full names, home addresses, email addresses, and phone numbers. The files also revealed comprehensive pet medical histories, including visit summaries, vaccination and prescription records, medical assessments, diagnoses, and associated costs. Information about the animals themselves was also leaked, such as their names, species, breed, sex, age, date of birth, and microchip numbers. The documents even contained consent forms with owner signatures, veterinarian names, and the specific clinic locations where services were performed.

The vulnerability stemmed from a fundamental security oversight. The customer portal for accessing veterinary records featured a page that generated PDF documents. This PDF-generating page was not protected by any password or access control, making it publicly accessible to anyone online. By manipulating the web address to input a sequential customer identification number, anyone could directly download the sensitive files stored on Vetco’s servers. Since these customer numbers were issued in order, it was possible to access a vast number of records by simply changing the digits in the web address.

This type of flaw is known as an insecure direct object reference (IDOR), a common but serious security misconfiguration. It allows unauthorized access to data because the system fails to verify whether a user has permission to view the information they are requesting. One exposed customer record was found to have been indexed by Google, dating back to mid-2020, suggesting the data may have been vulnerable for a considerable period. The sequential nature of the customer IDs indicates that potentially millions of records could have been retrievable.

When notified of the breach, a Petco spokesperson stated the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems.” However, the company provided no evidence to substantiate these corrective actions. The spokesperson declined to confirm whether Petco possesses the technical logs necessary to determine if any data was actually downloaded by malicious actors during the period of exposure.

This latest incident follows two other data breaches disclosed by Petco in 2025. Earlier in the year, hackers allegedly stole customer data from a Salesforce database used by the company, later demanding a ransom. In September, Petco disclosed a separate breach it claimed to have discovered internally, blaming a misconfigured software setting that allowed files containing Social Security numbers, driver’s license details, and financial information to become accessible online. The scale of the September incident was not disclosed, though California law mandates public disclosure when a breach affects more than 500 state residents.

Given that Petco began notifying customers about the September breach months ago, this newly revealed Vetco website lapse appears to be a distinct and separate security failure. The repeated nature of these incidents highlights ongoing challenges in safeguarding customer data within the organization.

(Source: TechCrunch)