Cyber Incident Victim: Petco Health and Wellness Company
Date:
Feb 2020
Location:
United States of America
Summary
A subsidiary of Petco Health and Wellness Company experienced a prolonged data breach impacting over 30,000 customers due to an unauthorized website plug-in that captured and transmitted sensitive information to third-party servers over six months. The compromised data included subscribers' names, addresses, email credentials, passwords, and full payment card details, leading to confirmed fraudulent activities. The breach was discovered months after initial fraudulent activity reports, with victim notifications delayed by at least a month following full comprehension of the incident's scope. A law firm investigation is examining the subsidiary's cybersecurity practices and response timeline.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The data breach impacting PupBox, a subsidiary of Petco Health and Wellness Company (operating as Petco Animal Supplies Stores, Inc.), occurred between February 11, 2020, and August 9, 2020. Attackers installed an unauthorized plug-in on the PupBox.com website, enabling the capture and exfiltration of customer payment and personal information to a third-party server over this six-month period. The compromised data included subscribers' names, physical addresses, email addresses, passwords, credit card numbers, expiration dates, and CVV codes. PupBox initially received notification of potential fraudulent activity on August 7, 2020, specifically involving credit cards used on their platform between February 26 and July 21, 2020. The company formally identified the security incident on September 2, 2020, after which they conducted further investigation to determine the breach's scope and mechanisms. The breach affected more than 30,000 subscribers of the customized puppy subscription service, which had gained prominence through its appearance on Shark Tank.
PupBox publicly disclosed the breach through customer notification letters dated October 2, 2020, signed by company representative Ben Zvaifler, approximately one month after confirming the incident's severity. The delayed notification prompted scrutiny from the law firm Schubert Jonckheer & Kolbe LLP, which initiated an investigation into PupBox and Petco's cybersecurity practices and breach response timeline. The firm highlighted concerns regarding the six-month duration of unauthorized data collection before detection and the subsequent month-long gap between breach confirmation and customer alerts. Consequences included confirmed fraudulent activities involving compromised payment cards, though specific financial losses or additional misuse of personal information remained undisclosed. The breach investigation focused on the threat actors' use of malicious web plugins to intercept transaction data directly from the e-commerce platform.