In October, PupBox (a company owned by animal supplies giant Petco that delivers products and training information for puppies) sent out a security alert. This alert warned PupBox customers that the company had experienced a data breach that affected roughly 30,000 accounts. This breach began in February and was not discovered until August. As a result, thousands of credit cards and other sensitive data were exploited by cybercriminals.
The fallout from this incident, namely the apparent length of time it took PupBox to act on the data breach information they received, is now the subject of a legal investigation. A San Francisco-based firm, Schubert Jonckheer & Kolbe, said that they would be investigating PupBox’s actions and looking for violations. A press release from the firm laid out what it considers the case against Petco and PupBox:
The breach resulted from an unauthorized website plug-in that potentially exposed subscribers’ names, addresses, email addresses, passwords, credit card numbers, credit card expiration dates, and credit card CVV codes. According to the company, fraudulent activity may have already occurred on credit cards used on the PupBox website during the relevant period.
The Schubert Firm is investigating the conduct and cybersecurity practices of PupBox and Petco in relation to the breach. Of particular concern, the malicious plug-in was active on the PupBox website for nearly six months between February 11 and August 9, 2020. Furthermore, the company waited at least a month to notify victims after learning the full extent of the breach.
The investigation may have merit as Petco has its headquarters in San Diego, Calif. The state of California has been aggressive in passing privacy legislation to protect consumers. In this particular case, the California Consumer Protection Act (CCPA) gives legal grounds for class action lawsuits. In the words of the Office of the California Attorney General:
You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:
- Your Social Security number
- Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
- Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
- Your medical or health insurance information
- Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)
As the third bullet point states, which was bolded and italicized for emphasis, the PupBox case appears to fall under this particular CCPA stipulation.
This PupBox data breach investigation is ongoing, and as such, information is rapidly developing. Any important updates will be reported on.
Featured image: Pixabay