A significant security vulnerability at Petco’s veterinary services division has compromised sensitive customer information, forcing the pet wellness giant to take portions of its Vetco Clinics website offline. The data exposure, discovered by TechCrunch investigators, allowed unrestricted access to confidential customer records without requiring any authentication.
This security incident marks Petco’s third data breach in 2023, raising serious concerns about the company’s data protection practices and its handling of sensitive customer information.
How the Security Vulnerability Worked
The security flaw resided in Vetco’s customer portal (petpass.com), specifically in how the system generated PDF documents. TechCrunch discovered that the PDF generation page lacked password protection, allowing anyone to access customer files directly from Vetco’s servers by simply manipulating web addresses with sequential customer identification numbers.
This type of vulnerability, known as an insecure direct object reference (IDOR), represents a fundamental security oversight. The sequential nature of customer numbers potentially exposed millions of records, as accessing different customer files required merely changing digits in the URL.
Even more concerning, at least one customer record had been indexed by Google, making it discoverable through a simple search query. Evidence suggests these records may have been exposed since at least mid-2020.
Scope of the Exposed Information
The compromised data contained highly sensitive information including:
- Customer names, home addresses, email addresses, and phone numbers
- Visit summaries and complete medical histories
- Prescription and vaccination records
- Locations of Vetco clinic visits
- Medical assessments, test results, and diagnoses
- Cost information for services rendered
- Names of attending veterinarians
- Consent forms with customer signatures
- Service dates
Pet-specific information was also exposed, including animal names, species, breeds, sex, age, birth dates, microchip numbers, vital medical data, and prescription histories.
Petco’s Response to the Incident
TechCrunch alerted Petco to the vulnerability on a Friday, but the company only acknowledged the data exposure the following Tuesday after researchers followed up with examples of exposed customer files. Company spokesperson Ventura Olvera stated that Petco had