Cyber Incident Victim: PupBox

The PupBox data breach occurred between February 11, 2020, and August 9, 2020, when threat actors installed an unauthorized plug-in on the company’s website, PupBox.com. This malicious code captured and transmitted customer payment card information and personal data to a third-party server over a six-month period. PupBox, a subsidiary of Petco Health and Wellness Company specializing in customized puppy subscription boxes, discovered fraudulent activity alerts on August 7, 2020, involving credit cards used on its platform between February 26 and July 21, 2020. The company formally identified the security incident on September 2, 2020, after which it investigated the breach’s scope. On October 2, 2020, PupBox notified affected subscribers that their names, addresses, email addresses, passwords, credit card numbers, expiration dates, and CVV codes had been compromised. The breach impacted over 30,000 customers, with some already experiencing fraudulent transactions prior to the notification.

PupBox’s October 2 notification letter, signed by Ben Zvaifler, confirmed the company learned of the breach in early September but delayed informing victims for at least a month while assessing the incident. The delay and prolonged exposure period drew scrutiny from the law firm Schubert Jonckheer & Kolbe LLP, which launched an investigation into PupBox and Petco’s cybersecurity practices. The firm highlighted concerns about the six-month duration of the breach and the adequacy of PupBox’s response timeline. No specific containment measures or technical corrections were detailed in the notification, though the malicious plug-in was presumably removed by August 9, 2020, when data exfiltration ceased. The incident resulted in confirmed fraud cases linked to stolen payment details and prompted potential legal action due to alleged failures in breach disclosure protocols and data protection safeguards.