I recently received a shipment of cat food from Petco which, as far as I know, I had not ordered. I did have a “repeat delivery” order scheduled for that variety of cat food, but usually when Petco is about to send you a repeat delivery order they notify you by email to give you a chance to cancel it, and they notify you again when the order has shipped, and I received neither of those emails. Furthermore, when I looked in my account on petco.com after receiving the shipment, the order was not listed there.
I contacted Petco customer service, gave them the order number from the shipping label, and asked them what was going on. The representative who responded claimed that I had two accounts on petco.com and that the order had been placed from the other account, and gave me the email address of the other account, which, dear reader, I assure you was not an email address I was in any way associated with.
I emailed that address, told its owner what was going on, and asked if, perchance, there was an order they hadn’t placed visible to them in their petco.com account. They responded that yes, indeed there was, and send me a PDF of the web page showing the order details. This page contained my full name, full mailing address, and last four digits of my credit card number, visible to the other user to whose petco.com account the order was incorrectly attached.
At this point I emailed firstname.lastname@example.org, notified them that they had breached my privacy and presumably the privacy of some undetermined number of other petco.com account holders, and demanded that they investigate what had occurred, remediate the impact of the data breach, follow all relevant breach notification laws, and provide me with details on the results of their investigation.
They said they were investigating, stalled me for a few weeks, and then claimed that they had completed their investigation and concluded that only a small number of users were impacted. They refused to say how many users were impacted, whether they had removed the orders from the incorrect accounts, whether they had notified the other impacted users that their privacy had been breached, or whether they had followed applicable breach notification laws.
They apparently just expect us to take their word for it. That’s not OK.
I have filed a data breach complaint about this with the Massachusetts Attorney General’s Office.