Petco Health and Wellness Company (ticker WOOF) announced on December 5, 2025 that a misconfigured setting in its customer data platform exposed personal information of at least 500 California residents, an unspecified number of customers in Massachusetts, and three individuals in Montana. The company discovered the lapse internally, corrected the setting immediately, and removed the publicly accessible files.
The exposed data included names, addresses, email addresses, phone numbers, and in some cases credit card numbers and social security numbers. The breach involved the company’s customer relationship management (CRM) system, specifically the “Petco Customer Data Hub” application, which had a misconfigured file‑sharing setting that allowed files to be accessed online.
Petco complied with state law by notifying the California Attorney General within 15 days of discovering the breach, as required for incidents affecting more than 500 residents. The company also notified the Massachusetts Office of Consumer Affairs and Business Regulation and the Montana Attorney General’s consumer protection office. All affected customers are receiving free credit‑ and identity‑theft monitoring services.
This incident follows a 2020 breach of Petco’s PupBox website that exposed personal and credit card information of approximately 30,000 consumers. The recurrence of data‑security incidents raises concerns about the company’s overall security posture and could erode investor confidence.
Financially, Petco reported Q3 2025 earnings of $0.03 per share, beating estimates of $0.01, while revenue of $1.46 billion fell slightly below the $1.47 billion estimate. Management highlighted cost control and a focus on profitability, but the breach could increase operational costs and erode customer trust. The company has announced plans to invest in additional security measures and infrastructure upgrades to prevent future incidents.
CEO Joel Anderson said the company is “committed to protecting our customers’ data and will take all necessary steps to strengthen our security posture.” He added that the breach is being fully investigated and that the company will maintain transparency with regulators and customers.
The content on BeyondSPX is for informational purposes only and should not be construed as financial or investment advice. We are not financial advisors. Consult with a qualified professional before making any investment decisions. Any actions you take based on information from this site are solely at your own risk.