PupBox

PupBox, a United States-based subsidiary of the pet retail corporation Petco, was the target of a substantial data breach. The incident was formally identified on February 11, 2020, though malicious actors had maintained access through an unauthorized plug-in on the company's website for approximately six months prior. This extended period of compromise allowed threat actors to systematically capture and exfiltrate a wide array of sensitive customer data. Over 30,000 subscribers were affected, making it a significant breach in terms of customer impact. The discovery of the breach prompted internal and external scrutiny of the subsidiary's security protocols and its integration within the broader corporate structure.

The stolen information encompassed personally identifiable details including customer names, physical addresses, email account credentials, and passwords. Crucially, complete payment card data was also compromised, comprising card numbers, expiration dates, and CVV security codes. Such comprehensive financial data exposure heightened the risk of fraudulent transactions for victims, with reports of such activities emerging months after the initial intrusion. The delayed notification to affected individuals, even after the breach's scope was determined, became a focal point of criticism. Consequently, a law firm launched an investigation into Petco's cybersecurity practices and the subsidiary's adherence to timely breach disclosure standards. This incident underscored vulnerabilities in web application security and incident response planning within the organization.