Cyber Incident Victim: LuckyPet

On October 12, 2015, an unauthorized party exploited a vulnerability in the third-party shopping cart software used by Seattle-based pet store LuckyPet. The attackers uploaded malware designed to intercept customer information during online purchase transactions. The compromised data included customer names, credit card numbers with expiration dates and security codes, and physical addresses. LuckyPet remained unaware of the breach for approximately five months until March 16, 2016, when officials discovered the incident and initiated an investigation. The company subsequently notified the California State Attorney General's office about the data compromise, though the total number of affected victims remained undetermined. The malware specifically targeted payment information submitted through the compromised e-commerce platform during an undisclosed operational period between the initial breach date and its discovery.

LuckyPet removed all infected files from their systems upon identifying the breach and implemented measures to mitigate impacts on affected customers. The company engaged with the compromised third-party software vendor to address the vulnerability and prevent future compromises. Notification was provided to major credit reporting agencies and payment card networks regarding the exposed financial data. While no confirmed reports of credit card misuse emerged from the breach, LuckyPet advised customers to monitor account statements for fraudulent activity and report suspicious transactions to law enforcement, state attorneys general, and the Federal Trade Commission. Vice-President Michael Kaplan issued a formal breach notice acknowledging the incident and expressing regret for any inconvenience caused to customers, though the company did not disclose specific technical details about the malware's operation or the exact duration of data exfiltration.