Petco has acknowledged a data security incident that has revealed sensitive information about customers. Initially admitting to a breach without providing specifics, legal notifications in various states now clarify the extent of the hack.

In submissions to the Texas attorney general, along with alerts to officials in California, Massachusetts, and Montana, Petco revealed that compromised data encompassed customers’ names, Social Security numbers, driver’s license numbers, birth dates, and financial details such as account and card numbers.

In a couple of states, Petco reported only a small number of affected individuals, but California’s disclosure threshold (triggered when 500 or more customers are impacted) implies a greater number of victims there.

Initially reported by TechCrunch, Petco chose not to respond to detailed inquiries regarding the number of affected customers, whether unauthorized individuals accessed or took the exposed files, or which application was at fault.

Previously, Petco indicated serving more than 24 million customers in 2022, highlighting the potential magnitude of the breach.

A sample notification from California’s attorney general suggests that the breach occurred due to a misconfigured setting in one of Petco’s software applications, inadvertently allowing files to be accessible online.

Petco claims it has rectified the setting, eliminated the exposed files, and put in place additional security protocols.

The company is providing complimentary credit and identity monitoring services to impacted individuals in states where such assistance is mandated by law when sensitive information like SSNs or driver’s license numbers is compromised.

It remains uncertain if Texas residents will be granted the same level of protection.