A San Francisco law firm has launched an investigation into a data breach that took place at a subsidiary of Petco Health and Wellness Company.
The breach, which occurred over a six-month period last year, resulted in the exposure of the payment card information of tens of thousands of customers of PupBox, Inc.
PupBox, which appeared on the entrepreneurial-themed reality TV show Shark Tank, sells customized puppy subscription boxes containing toys, treats, chews, and accessories handpicked according to the animal's age and physical characteristics.
On October 2, 2020, PupBox announced that its website, PupBox.com, had been the target of a prolonged data breach affecting more than 30,000 of its subscribers.
Threat actors installed an unauthorized website plug-in that allowed personal information to be captured and shared with a third-party server between February 11, 2020, and August 9, 2020.
Data potentially exposed in the breach includes subscribers' names, addresses, email addresses, passwords, credit card numbers, credit card expiration dates, and credit card CVV codes.
According to a security notification letter dated October 2 and signed by PupBox' Ben Zvaifler, the company learned of the breach in September. A month later, they found out that as a result of the incident, PupBox customers may have become the victims of fraudsters.
"We are writing to inform you that on September 2, 2020, PupBox (a business unit of Petco Animal Supplies Stores, Inc.) became aware of a security incident which affected the PupBox website and may have resulted in a breach of your personal information," reads the letter.
"On August 7, 2020, we received a notification that fraudulent activities may have occurred on credit cards that were used on the PupBox website between February 26, 2020 and July 21, 2020."
The incident is now under investigation by class-action lawyers at Schubert Jonckheer & Kolbe LLP, who noted that PupBox waited at least a month before notifying victims after learning the full extent of the breach.
"The Schubert Firm is investigating the conduct and cybersecurity practices of PupBox and Petco in relation to the breach. Of particular concern, the malicious plug-in was active on the PupBox website for nearly six months between February 11 and August 9, 2020," said a spokesperson for the firm.