Petco Software Glitch Left Files Exposed Online For Months, Class Action Alleges Data Breach Exposed Customer Information
A class action lawsuit filed in California federal court alleges Petco failed to properly protect customer information in a data breach that exposed Social Security numbers, driver’s license details, and financial data. Plaintiff Matthew Mack filed the Petco class action (Case No. 3:25-cv-03806) on December 17, 2025, in the U.S. District Court for the Southern District of California, claiming the company discovered the breach during a routine security review in July 2025 but didn’t notify affected customers for months.
The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, and credit or debit card information—according to breach reports filed with state attorneys general in Texas, California, Massachusetts, and Montana. At least 329 Texas residents were confirmed affected, though the total nationwide number remains undisclosed. California law requires companies to report breaches affecting more than 500 residents.
This affects you if you’re a Petco customer whose information was processed through the company’s systems and you received a breach notification letter. With 24 million customers served nationwide according to Petco’s 2022 figures, the actual impact could be substantial. Understanding what was exposed and what legal rights you have could help you protect yourself and potentially receive compensation.
What the Petco Class Action Alleges
The Lawsuit Claims Inadequate Security Measures
The Petco class action lawsuit argues the company failed to implement adequate cybersecurity measures to prevent unauthorized access to customer files. According to the complaint, Petco discovered during routine security monitoring that a misconfigured software setting inadvertently made certain files accessible online. The lawsuit claims Petco knew or should have known about the importance of safeguarding personally identifying information and the consequences of failing to do so.
Matthew Mack, the named plaintiff, alleges Petco failed to notify customers in a timely manner despite discovering the breach in July 2025. The complaint states affected individuals “were wholly unaware of the Data Breach for months until they received letters from Defendant informing them of it.” According to breach notification letters filed with state regulators in December 2025, Petco finally began notifying customers several months after initial discovery.
Legal Claims and Damages Sought
The Petco class action alleges negligence (failing to exercise reasonable care protecting customer data), breach of implied contract (violating the understanding that customer information would be kept confidential), breach of the implied covenant of good faith and fair dealing, unjust enrichment, and violations of the Declaratory Judgment Act. Plaintiff Mack seeks to represent a nationwide class of consumers whose personal information was compromised and demands a jury trial with compensatory, injunctive, and declaratory relief for himself and all class members.
What Customer Data Was Exposed and Why It Matters
What Personal Information Means
Personal information includes any data that can identify you—your name, address, phone number, email, date of birth, Social Security number, driver’s license number, and financial account details like credit card numbers. This differs from anonymous data because it links directly to your identity. When personal information is exposed in a data breach (unauthorized access to stored data), criminals can use it for identity theft, financial fraud, account takeovers, and other crimes.
Why the Petco Data Breach Is Especially Serious
The combination of data types exposed in the Petco class action creates significant risk. Social Security numbers are particularly dangerous—they’re the key to your identity and cannot be changed like a credit card number. With your SSN, driver’s license number, date of birth, and financial information, criminals can open credit accounts in your name, file fraudulent tax returns, drain bank accounts, make unauthorized purchases, take over existing accounts, commit medical identity theft, and apply for loans or government benefits using your identity.
According to the breach notification letters, exposed information included names, Social Security numbers, driver’s license numbers, financial information (account numbers, credit or debit card numbers), and dates of birth. The Petco class action alleges this exposure leaves customers vulnerable to identity theft and fraud for years to come, requiring vigilant monitoring of financial and credit accounts.
Who Qualifies as Affected and What You Could Receive
Am I Part of the Petco Class Action?
You may be included if you’re a Petco customer whose personal information was compromised in the breach and you received a notification letter from the company. The Petco class action seeks to represent a nationwide class of all consumers whose personally identifying information was exposed. You typically don’t need to actively “join”—if you’re a class member, you’re automatically included unless you opt out.
Determining if you’re affected requires checking whether you received a data breach notification letter from Petco. These letters explain what information was compromised and provide a reference number you’ll need for any claims. If you shopped at Petco stores or online and received notification, save all correspondence as evidence.
Potential Compensation from Data Breach Settlements
While the Petco class action hasn’t reached settlement, similar retail data breach cases provide context. Recent settlements show AT&T agreed to pay $177 million for two data breaches (up to $5,000 for the first breach, up to $2,500 for the second), Capital One settled for $190 million covering 100 million customers, and Communication Federal Credit Union agreed to $2.9 million (up to $7,500 for documented losses, approximately $125 pro rata payments).
Typical compensation categories in data breach class actions include reimbursement for identity theft costs, credit monitoring expenses, time spent addressing the breach ($20-$25 per hour documented), emotional distress, and statutory damages under state data breach notification laws. If the Petco class action settles, you’ll likely need to file a claim form with documentation of your losses. Without documented harm, most class members receive smaller pro rata payments ranging from $20-$150.
What Petco Allegedly Did Wrong
Specific Security Failures
The Petco class action alleges the company failed to implement industry-standard cybersecurity measures necessary to protect sensitive customer information. The lawsuit claims Petco allowed a misconfigured software setting to make files accessible online, failed to detect this configuration error through proper monitoring, took months to notify customers after discovering the breach in July 2025, and didn’t implement adequate access controls or encryption to prevent unauthorized access.
According to Petco’s own breach notification, the company “identified a setting in one of our applications which inadvertently made certain Petco files accessible online.” The Petco class action argues this represents a failure of basic cybersecurity protocols—companies handling sensitive customer data should conduct regular security audits, implement proper access controls, encrypt sensitive files, and detect misconfigurations promptly.
Legal Violations and What Company Should Have Done
The Petco class action asserts violations of state data breach notification laws that require companies to notify affected individuals within specified timeframes (typically 30-60 days after discovery). The lawsuit also claims negligence for failing to exercise reasonable care safeguarding data, breach of contract for violating the implicit agreement to protect customer information, and violations of state consumer protection laws prohibiting unfair business practices.
Retailers must follow Payment Card Industry Data Security Standards (PCI DSS) when handling credit card information. These standards require secure networks, strong access controls, encrypted transmission of cardholder data, regular security testing, and vulnerability management programs. The Petco class action argues these measures were insufficient or improperly implemented.
What You Must Know
Your Rights After a Retail Data Breach
When your personal information is compromised, state data breach notification laws protect you. All 50 states require companies to notify affected individuals when breaches occur, though specific requirements vary. Notifications must typically include what happened, what information was exposed, what the company is doing to investigate and prevent future breaches, and what you should do to protect yourself.
You have the right to file complaints with your state Attorney General’s office or the Federal Trade Commission if you believe a company violated data protection obligations. Beyond participating in the Petco class action, you can report identity theft at IdentityTheft.gov, request free credit reports from AnnualCreditReport.com, place fraud alerts or credit freezes with credit bureaus, and seek legal counsel about individual claims if you suffered significant damages.
Common Mistakes That Leave You Vulnerable
Don’t ignore breach notification letters—they contain critical information about what was exposed and actions you must take. Assuming you’re not affected without checking or failing to understand what personal information exposure means long-term are common errors. Not monitoring credit reports, bank statements, and accounts for unauthorized activity leaves you open to undetected fraud.
Failing to place fraud alerts or credit freezes when Social Security numbers are exposed is a mistake. Not changing passwords for affected accounts and any accounts using the same password increases vulnerability. Missing claim deadlines if the Petco class action reaches settlement means forfeiting compensation. Not documenting suspicious activity, unauthorized charges, or identity theft that results from the breach weakens future claims.
What Happens Next in the Petco Class Action
Data breach class actions typically follow this timeline. Multiple lawsuits may be consolidated into one case. Defendants file motions to dismiss, which courts rule on. Discovery follows where plaintiffs’ attorneys investigate the company’s security practices and breach response. Courts decide whether to certify the class action (determining if it meets legal requirements to proceed as a class representing all affected individuals).
Most cases settle before trial through negotiations between class counsel and defendants. If approved by the court, class members receive notice with instructions for filing claims. Payments typically arrive 60-90 days after final approval, assuming no appeals. The entire process usually takes 2-4 years from initial filing to final payment distribution.
What to Do Next
If Your Data Was Involved in the Petco Breach
Check whether you received a breach notification letter from Petco. The letter will specify what personal information was compromised and provide a reference number needed for claims. Determine if your information was processed through Petco’s systems—if you made purchases at Petco stores or online, created an account, or participated in loyalty programs, your data may have been exposed.
Save all breach notifications and correspondence from Petco as evidence. Document the date you received notice, what you were told was compromised, and any actions you’ve taken in response. If you experience suspicious activity, unauthorized charges, or identity theft, keep detailed records with dates, amounts, and entities involved. This documentation supports claims for reimbursement if the Petco class action settles.
Protecting Yourself After the Breach
Place fraud alerts on your credit reports with all three major credit bureaus (Equifax, Experian, TransUnion). Fraud alerts are free and last one year, requiring creditors to verify your identity before opening new accounts. Consider a credit freeze to completely block access to your credit report, preventing new accounts from being opened in your name even with your Social Security number.
Monitor your credit reports regularly through AnnualCreditReport.com for unauthorized accounts or inquiries. Watch bank and credit card statements closely for fraudulent charges. Change passwords for your Petco account and any accounts using the same password. Enable two-factor authentication where possible. Be alert for phishing emails or calls using your exposed information to trick you into revealing more data.
Sign up for any free credit monitoring services Petco offers. Report identity theft to the FTC at IdentityTheft.gov and file complaints with your state Attorney General if you believe Petco violated data protection laws.
Monitoring the Lawsuit and Your Options
You typically don’t need to “join” the Petco class action. If you’re a class member (someone whose data was compromised), you’re automatically included unless you opt out. Watch for official notice if the court certifies the class. This will explain your rights and options including participating, opting out to file your own lawsuit, or objecting to any proposed settlement.
Check the case docket through PACER.gov or class action settlement tracking websites like TopClassActions.com for updates. You’ll need to decide whether to stay in the class action, opt out (preserving your right to sue Petco independently), or object to settlement terms if you believe they’re unfair. Opting out means you won’t receive anything from a class settlement but can pursue individual claims. Most people stay in because individual lawsuits are expensive and time-consuming.
Frequently Asked Questions
What is the Petco data breach lawsuit about?
The Petco class action filed in December 2025 alleges the company failed to properly protect customer information in a data breach that exposed Social Security numbers, driver’s license details, and financial data. The lawsuit claims Petco discovered the breach in July 2025 but delayed notifying customers for months.
What customer information was exposed in the Petco breach?
According to breach notification letters, exposed data included names, Social Security numbers, driver’s license numbers, dates of birth, financial account numbers, and credit or debit card information. This combination creates serious identity theft and financial fraud risks.
Am I part of the Petco class action?
You may be included if you received a breach notification letter from Petco indicating your personal information was compromised. The lawsuit seeks to represent all consumers whose personally identifying information was exposed in the breach.
How much money can I get from the data breach lawsuit?
The Petco class action hasn’t reached settlement yet, so compensation amounts are unknown. Similar retail data breaches have settled for $20-$5,000 per person depending on documented losses. Without receipts for actual harm, most class members receive $20-$150 pro rata payments.
What should I do if my information was compromised?
Place fraud alerts or credit freezes on your credit reports, monitor credit reports and bank statements for unauthorized activity, change passwords for affected accounts, enable two-factor authentication, watch for phishing scams, sign up for free credit monitoring Petco offers, document all time and expenses related to addressing the breach, and report identity theft to FTC at IdentityTheft.gov.
Has Petco settled the data breach class action?
No. As of January 2026, the lawsuit filed in December 2025 is in its early stages. Data breach class actions typically take 2-4 years to resolve through settlement or trial.
When did the Petco data breach happen?
According to the lawsuit, Petco discovered the breach during a routine security review in July 2025. The company began notifying affected customers in December 2025 after filing required reports with state attorneys general.
Last Updated: January 13, 2026 — We keep this current with the latest legal developments.
💡 Pro Tip: Place a credit freeze immediately, not just a fraud alert. Freezes completely block access to your credit report, preventing criminals from opening new accounts in your name even if they have your Social Security number, driver’s license number, and other personal information from the Petco data breach. Freezes are free and can be lifted anytime you need to apply for credit.
Legal Disclaimer: This article provides general information about the Petco class action alleging data breach exposed customer information and is intended for educational purposes only. It does not constitute legal advice. Legal outcomes vary based on individual circumstances. AllAboutLawyer.com does not provide legal services, does not represent the class in the Petco class action, and is not affiliated with Petco Animal Supplies Stores, Inc. or any parties to the litigation. For specific legal advice about the Petco data breach or your eligibility for compensation, consult a qualified attorney experienced in data breach or consumer rights litigation. Information about the breach and lawsuit is based on publicly available court filings, breach notifications, and news reports current as of January 13, 2026.
Take Action Now:
- Report identity theft: FTC IdentityTheft.gov
Related: Learn more about protecting yourself in our guides on TransUnion data breach exposes 4.4 million Social Security numbers, 700Credit class action lawsuits, and Nelnet data breach class action lawsuit.
Stay informed, stay protected. — AllAboutLawyer.com
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah