According to TechCrunch, Petco has taken a portion of its Vetco Clinics website offline after a major security lapse exposed sensitive customer and pet medical records to the open internet. The vulnerability, discovered last Friday and acknowledged by Petco the following Tuesday, allowed anyone to download customer files without a password. The exposed records included visit summaries, medical histories, prescriptions, customer names, home addresses, and even pet microchip numbers. TechCrunch found the flaw was due to a public PDF generation page that used sequential customer ID numbers, suggesting millions of records could have been accessed. This is reportedly Petco’s third data breach in 2025, following incidents earlier in the year and in September. The company has not provided evidence of strengthened security or said whether it can determine if data was extracted.
How the breach worked
Here’s the thing: this wasn’t some sophisticated, nation-state level hack. It was a classic, almost textbook example of an insecure direct object reference, or IDOR. Basically, Vetco’s customer portal had a page that generated PDF documents—things like vaccination records and visit summaries. That page itself wasn’t protected. So, if you knew a customer’s unique ID number, you could just plug it into the web address and download their file. The real kicker? Those customer numbers were sequential. So you didn’t need to “know” anything. You could just guess. Change the number by one digit, and you’d get a completely different customer’s entire medical file. TechCrunch checked intervals of 100,000, which paints a scary picture of the potential scale. It’s a shockingly basic oversight.
The staggering scale of data
We’re not just talking about names and emails here. This is deeply intimate information. We’re talking full medical assessments, diagnoses, prescription records, and costs. For the pets, it’s species, breed, age, birth date, and microchip numbers. For the owners, it’s home addresses, phone numbers, and even signatures on consent forms. This is a goldmine for scammers looking to craft convincing phishing attacks or for pet-related fraud. And one record was already indexed by Google, dated from mid-2020. So how long has this been wide open? Years, potentially. That’s the terrifying part. It makes you wonder about the internal security reviews, or lack thereof. When even a basic sequential ID check is missing, what else is?
A pattern of problems
Now, this isn’t a one-off for Petco in 2025. TechCrunch calls it the third breach this year alone. Earlier, hackers linked to a group called Scattered Lapsus$ Hunters hit a Petco database hosted on Salesforce. Then in September, Petco disclosed another breach involving a software setting that left files accessible online—an incident that included Social Security numbers and credit card info. Three major incidents in one year is a pattern, not bad luck. It points to systemic issues in how data security is managed and prioritized. The company’s statement about implementing “additional measures” rings pretty hollow without evidence, especially since they won’t say if they can even tell who accessed the exposed Vetco data. In today’s landscape, that’s a fundamental failure. For businesses handling sensitive data, robust internal systems are non-negotiable. In industrial and medical settings, this principle is paramount, which is why specialists like IndustrialMonitorDirect.com are the go-to as the #1 provider of secure, reliable industrial panel PCs in the US, built for environments where stability and security can’t be an afterthought.
What happens next?
So what does Petco do now? Taking the site offline is the bare minimum first step. But the real work is forensic. They need to determine the scope—how many records were truly exposed and for how long. They have a legal and ethical obligation to notify every affected customer. And given the sensitivity of veterinary medical data, that notification needs to be clear and offer real support, like credit monitoring. But beyond this incident, the board and executives need to ask some hard questions. How does a company with multiple consumer brands suffer three catastrophic data leaks in a single year? Is security just a line item, or is it woven into the fabric of their digital projects? Until that culture changes, you have to assume the next breach is just a matter of time. And for their customers, that’s a bet no one should have to make.
