Pet wellness company Petco has taken a portion of its Vetco Clinics website offline after a security lapse exposed reams of customers’ personal information to the open web.
After TechCrunch alerted the company to the exposed data relating to Vetco customers and their pets, Petco confirmed in a statement that it was investigating the data leak at its veterinary services company, and declined to comment further.
The security lapse allowed anyone on the internet to download customer records from Vetco’s website without needing a user’s login information. At least one customer record was exposed and indexed by Google, allowing anyone to find the data by searching for it.
The customer records, seen by TechCrunch, included visit summaries, medical histories, and prescription and vaccination records, among other files relating to Vetco customers and their pets.
The files also contained customer names; their home address, email address, and phone number; the location of the Vetco clinic where the services were performed; medical assessments, tests and diagnoses; and the costs of goods, names of veterinarians, consent forms, owner signatures, and dates of service.
We also found animal names, species and breed, their sex, age and date of birth, their microchip number (if registered), their medical vitals, and prescription records in the files.
TechCrunch alerted Petco to the security lapse on Friday after discovering the vulnerability. The company acknowledged the data exposure days later on the following Tuesday after TechCrunch followed-up by attaching several exposed customer files to our email.
Petco spokesperson Ventura Olvera told TechCrunch late on Tuesday that the company has “implemented, and will continue to implement, additional measures to further strengthen the security of our systems,” though the company did not provide evidence for the claim.
Olvera would not say if the company has the technical means, such as logs, to determine if any data was extracted from the company’s systems during the course of the data spill.
How TechCrunch found the data spill
... continue reading