Data Breach Exposed Thousands of Pet Medical Records Including Owner Information
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 56,000 records, including pet medical reports, DNA tests, pedigree historyand other potentially sensitive information.
As a longtime cyber security researcher, this is one of the most interesting discoveries I have ever encountered and a first for me. I recently discovered a non-password protected database that contained records of thousands of dogs from around the world and included the information of their human owners. The publicly exposed cloud storage database contained a total of 56,624 documents in .PDF, .png, and .jpg formats with a total size of 25 GB. Upon further investigation, the database appeared to belong to the Worldwide Australian Labradoodle Association (WALA). The international organization promotes the Australian Labradoodle breed and sets standards for responsible breeding practices. While WALA has members and affiliated breeders all over the world, their main office is based in Washington state, United States. WALA also has regional offices in other parts of the world, including Australia, Europe, and Asia. It should be noted that I saw documents from multiple countries inside the publicly exposed database. I immediately sent a responsible disclosure notice to WALA and the database was eventually restricted several days later without a reply to my messages.
According to the WALA website: The organization unites worldwide Australian Labradoodle breeders in a mutual commitment to the long-term benefits of high standards in breeding practices and the cooperative building of a comprehensive and accurate database to preserve pedigrees and health information.
The documents contained the dogs’ medical reports, DNA tests, pedigree or lineage history showing the parents, grandparents, or offspring. The files also contained information about the owner of the dogs, veterinarians or testing laboratories, and other data such as electronic chip numbers or tattooed identification numbers. The wide range of documents contained things such as names, physical addresses, phone numbers, and email addresses depending on the document. When we think of a data breach of health records, we may never consider the implications of pet medical data. However, there is a massive amount of money in the pet industry, and history has shown there are always potential risks when the possibility of financial gain is involved. According to the American Pet Products Association (APPA), approximately 67% of US households — which is about 85 million families — own a pet. Furthermore, they spend an estimated 123.6 billion USD per year on the pet industry.
Pet Insurance Fraud Risk
Pet insurance policies typically cover accidents, illnesses, and, in some cases, routine care. Some policies also offer coverage for hereditary conditions and wellness check-ups. One obvious potential risk of a data breach would be using the exposed information to commit pet insurance fraud. Hypothetically, leaked medical documents could be altered and submitted for fraudulent insurance claims. Historical data indicates that this type of fraud witnessed a significant uptick from 2010-2015 with fraudulent claims increasing over 400% during that period. A past report in TheWeek also claimed that policyholders and pet owners were alleged to have maimed or even killed their animals to collect insurance money.
The North American Pet Health Insurance Association (NAPHIA) 2022 State of the Industry Report found that more than 4.41 million pets were insured in North America in 2021, up from 3.45 million in 2020. The report also found that 2.84 billion USD of pet insurance premiums were in force in 2021. In 2020, pet insurance providers in North America alone paid out over 1.87 billion USD in claims for covered treatments and procedures.
While there is a substantial amount of money involved in the industry, it’s important to note that there is no publicly available data indicating the current prevalence of fraud in the pet insurance industry. We note that there is a massive amount of money being exchanged between policyholders and insurance providers. This content is provided for informational purposes only and is based on historical data and theoretical risks, and should not be construed as an accusation or indication that such fraudulent activities are presently occurring within the pet insurance industry.
This screenshot shows a genetic health report that identifies the pet’s medical condition, chip number, and other information.
This screenshot shows a certificate of elbow or joint health. An Elbow Dysplasia Scheme uses X-rays to examine the elbow joint and is then graded by a veterinary expert. The elbow grades are then used by breeders to try and ensure that there are no hereditary problems and that the dog is healthy.
This screenshot shows an example of the many certifications that contained the owner’s PII and detailed pet information.
This screenshot shows an example of a DNA Identification Profile that contains the owner’s name and address. The test also indicates the dog is a breed other than Australian Labradoodle.
This screenshot shows a visual family tree of the dog’s lineage including names and ID numbers.
This screenshot shows a document from WALA’s European branch. Europe has strict data privacy protection laws known as GDPR. It is unclear if the European authorities have been notified of the exposure and how many people were potentially affected. ❮❯
Exposed Microchip Numbers
The primary purpose of pet microchipping is to find or identify lost pets and reunite them with their owners. Knowing a pet’s microchip number alone doesn’t inherently pose a significant risk to the pet’s safety or security; however, when combined with other information and ownership data, there could be potential risks. Hypothetically, criminals could falsely claim ownership of a lost or stolen pet using a publicly leaked microchip number. Pet theft is a real concern — an estimated 2 million dogs are stolen every year in the United States. Labradoodles can sell for as much as 5,000 USD, making them a potentially valuable target for criminals.
There are other risks even if criminals have no physical access to the pet. For instance, social engineering tactics where criminals could contact the pet owner, posing as an authority figure, and claim that they need additional personal information to update the microchip database, certifications, or other registrations. The criminal could potentially obtain credit and banking information or PII from the owners that could possibly lead to other forms of fraud or even identity theft. The chip number is linked to the owner’s contact details in the microchip database, potentially exposing personal information. I highly recommend that owners keep their pets’ microchip number confidential and avoid sharing it publicly or online. They should also be cautious when receiving requests for information related to their pet’s microchip. It’s good practice to verify the identity of anyone claiming to be an authority figure and report any suspicious activity related to their pet’s microchip to the appropriate microchip registry and local authorities.
This screenshot shows how easily I was able to get a pet owner’s phone number using a free online pet microchip database and one of the chip numbers listed in an exposed document.
Other Potential Risks
The term “puppy scam” is a general way to describe fraudulent activities related to the sale of dogs, often involving nonexistent or misrepresented puppies. However, we could talk about more specific tactics, like “breeder identity theft”, which is when scammers impersonate legitimate breeders to scam potential buyers. These scams often start with advertisements on classified websites or social media platforms. To avoid falling victim to a puppy scam, it’s essential to exercise caution and verify the breeder’s identity and credentials. Always be suspicious of sellers who offer valuable breeds of puppies at unrealistically low prices. If something feels off about the sale, avoid sending wire transfers or providing your payment information until you are certain that the transaction is legitimate.
The WALA database contained a large number of real pet health records, membership and breeder information, and other documents that criminals could hypothetically use as supporting evidence to pretend they are the rightful owner or breeder of a specific dog. It is unknown who else may have accessed the exposed records. According to the US-based consumer protection agency known as the Better Business Bureau (BBB), pet scams represented 24% of the online scams reported to their Scam Tracker in 2021. Considering that the Federal Trade Commission (FTC) estimates that less than 10% of victims step forward to report that they have been scammed, it’s likely that the real number of victims could be much higher. In 2022, Australians lost over 3.5 million AUD in scams involving pets. In the UK, the frequency of this type of scam rose by 39% between 2020 and 2021, with the average loss estimated at £1,400.
It is not known how long the database was exposed or who else may have had access to WALA’s records. I am not claiming that the member documents were accessed by criminals or that they are at any risk of being used for fraud. I am also not claiming any wrongdoing by WALA or that members or their pets were ever at risk. The intention here is solely to underline the conceivable risks associated with any data breach, particularly those that could impact the personal privacy and security of individuals or entities named in such databases.
Any organization that collects and stores documents on animals or humans should take all possible steps to secure potentially sensitive information. I strongly recommend implementing a multi-layered security strategy that ensures all software, including database management systems, are regularly updated with security patches to address known vulnerabilities. Another good practice is to regularly monitor your network and database activity for suspicious behavior. Penetration testing and vulnerability assessments can help proactively identify and remediate weaknesses or misconfigured access settings. It is also important to notify customers or members of any serious data incident so that they are aware of what was exposed and can be prepared in the event criminals do contact them or try to use the exposed information or documents for fraudulent purposes.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
So happy you liked it!
Share it with your friends!
Or review us on
3188075
50
5000
74305456
This page isn't yet translated into . If you wish to volunteer and translate it, please contact us using the contact us page
