fbpx

Petco, PupBox Compromising of Customer Information Class Action

Both Petco Animal Supplies Stores, Inc. and PupBox, Inc. keep the private information of their customers in their systems. The complaint for this class action claims that the companies did not adequately protect this information, which led to a data breach, and then failed to give customers “timely and adequate notice” about the exposure of their data.

The Nationwide Class for this action is all those who live in the US whose private information was exposed or compromised in the cyberattack first revealed by PupBox in October 2020. A Washington Subclass has also been defined.

PupBox is a wholly-owned subsidiary of Petco Animal Supplies that sends customers monthly boxes of toys, treats, and accessories for their dogs.

The complaint claims that the companies had the “sensitive personal and financial information of over 30,000 customers” on their networks. During the recent cyberattack, the information exposed includes names, addresses, passwords, and credit card information, including card numbers, expiration dates, and CVV codes.

According to the complaint, the companies “maintained the Private Information in a reckless manner.” It alleges that the information was left “in a condition vulnerable to cyberattacks” and that the systems were not properly monitored or the cyberattack would have been discovered sooner than it was.

PupBox claims it became aware of the data breach only on September 2, 2020, it says in its Notice of Data Breach. However, they’d had some idea about this earlier: “On August 7, 2020, we received a notification that fraudulent activities may have occurred on credit cards that were used on the PupBox website…” An investigation “revealed an unauthorized plugin on the PupBox website. The plugin allowed personal information to be captured and shared with a third-party server between February 11, 2020 and August 9, 2020.”

Unfortunately, although PupBox knew there might be a problem as early as the beginning of August, the notice about the data breach was not sent out to customers until October 2, nearlhy two months later, when some customers had already experienced “identity theft and financial fraud.”

Why is the attack the fault of Petco and PupBox? The complaint puts it this way: “On information and belief, the financial fraud … demonstrate[s] that [Petco and PupBox] chose not to invest in the technology to encrypt payment card data (PCD) at point-of-sale to make its customers’ data more secure; failed to install updates, patches, and malware protection or to install them in a timely manner to protect against a data security breach; and/or failed to provide sufficient control [of] employee credentials and access to computer systems to prevent a security breach and/or theft of PCD.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Petco, PupBox Compromising of Customer Information Complaint

December 18, 2020

Both Petco Animal Supplies Stores, Inc. and PupBox, Inc. keep the private information of their customers in their systems. The complaint for this class action claims that the companies did not adequately protect this information, which led to a data breach, and then failed to give customers “timely and adequate notice” about the exposure of their data.

Petco, PupBox Compromising of Customer Information Complaint

Case Event History

Petco, PupBox Compromising of Customer Information Complaint

December 18, 2020

Both Petco Animal Supplies Stores, Inc. and PupBox, Inc. keep the private information of their customers in their systems. The complaint for this class action claims that the companies did not adequately protect this information, which led to a data breach, and then failed to give customers “timely and adequate notice” about the exposure of their data.

Petco, PupBox Compromising of Customer Information Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Failure to Inform Promptly of Data Breach, Your Privacy