UK Pet Owners Targeted by Fake Microchip Renewal Scams

UK Pet Owners Targeted by Fake Microchip Renewal Scams

UK pet owners are being hit with convincing scam emails demanding microchip registration renewals, and the source of the problem appears to lie deeper than just spam. A recent investigation by Pen Test Partners has revealed serious security issues in how microchip data is stored and accessed, giving scammers the tools they need to convincingly imitate official registries.

The Scam: Familiar Names, False Intentions

Thousands of pet owners have reported receiving emails claiming their pet’s microchip registration is about to expire, often urging them to pay a renewal fee through sites like PetChip.info. These messages look legitimate. They include the pet’s name, breed, age, and even microchip number. The catch? Microchips don’t expire, and the government doesn’t charge annual fees.

The messages are scams, designed to collect payment and personal details. But the level of personalisation has raised questions about where the data is coming from.

One of the emails used in the scam (Image via Pen Test Partners)

How the Data Got Out

According to the Pen Test Partners report, the issue isn’t just phishing. It’s about how UK pet microchip databases manage access to sensitive data. Investigators found that several platforms allow users to enter a microchip ID to retrieve pet details without any real limits. With predictable chip number formats, attackers can guess large batches of IDs and scrape data with little resistance.

In many cases, staff at vet clinics and animal wardens use shared login credentials to access these systems, with multi-factor authentication often missing. Rate-limiting to prevent large-scale lookups is either weak or non-existent. These issues make mass harvesting of data both feasible and fast.

People are already being affected. Pet owners are receiving scam emails that include highly specific and accurate data, much of which likely originated from these unchecked systems.

Past Breaches May Have Played a Role

The report also points to previous data exposure incidents involving providers like Petlog. While full breach details were never made public, the timing lines up with an increase in scam reports that began in late 2021. Since then, patterns have shifted from generic spam to tailored attacks using detailed pet information.

There’s no official confirmation linking any one registry to a breach, but the trend suggests more than one database may have been scraped or compromised.

A Regulatory Gap That Puts Data at Risk

In the UK, there are multiple Department for Environment, Food & Rural Affairs (DEFRA) approved microchip databases, but there’s no single technical standard they must follow. That means data protection varies between providers. Some have stronger controls, others lag.

This patchwork system has made it easier for scammers to exploit the weakest links. Without mandatory requirements for things like rate-limiting, access logs, or even basic two-factor login, user data remains exposed.

Pet owners often assume their data is secure just because the registry is government-approved, but approval doesn’t equal strong cybersecurity.

The Cost of Trust

The scam itself isn’t just about stealing £15 or £30 per victim. It’s also an entry point for wider identity theft. These messages ask for names, addresses, phone numbers, payment information, and even pet health details. All of that can be reused in other fraud schemes or sold on dark web marketplaces.

Many victims only realise the problem after handing over payment and then checking with their vet, who confirms that no renewal was ever needed. By then, the scammers have already moved on.

What Pet Owners Can Do

  • Know this first: You never need to renew a microchip registration unless you’re moving your pet to a different database.
  • Always verify renewal messages with your original registry or vet.
  • Avoid clicking links in unsolicited emails, even if they include accurate details.
  • Check the official DEFRA list for approved databases and contact them directly if unsure.

The data issues exposed here show a bigger problem with how personal information is handled across industries. When systems lack basic controls, they become easy targets for attackers

If you’ve received one of these emails or suspect your data was accessed, contact your microchip registry directly and report it to Action Fraud.

For professionals working in the pet care or vet industry, this is a good time to review how staff logins are managed and whether sensitive platforms are protected by more than just a password.




Source link