Hacker working on machines showing data breach of customer records

Data Breach Hits Canada Goose, Exposing Over 600,000 Customer Records

Luxury performance outerwear and clothing giant Canada Goose has confirmed a data breach after a prolific threat actor leaked over 600,000 customer records.

Toronto-based Canada Goose reported annual revenue of $1 billion in 2025 and employs about 5,000 people.

The data breach surfaced on February 15, after the notorious hacking group ShinyHunters claimed responsibility by listing Canada Goose on a data leak site and published 1.67 GB of personal and partial payment information.

Canada Goose data breach leaks 600,000 customer records

Analysis of the leaked samples shows that the data breach exposed customer names, phone numbers, email addresses, IP addresses, device and browser information, shipping addresses, and detailed purchase and order histories.

Partial payment card information, including the last four digits of credit card numbers, card brand, the six-digit Bank Identification Number (BIN), and payment authorization data, was also exposed in some cases.

While the leaked customer records contained no sensitive personal or payment information, they could enable hackers to target victims via phishing and social engineering attacks and commit shopping fraud.

Meanwhile, users on the data leak forum claim 583,000 people were affected as the customer records contained duplicates, typical of shopping datasets.

Canada Goose data breach exposed legacy customer records

The apparel giant stated that the data breach exposed past transaction records, and its internal IT infrastructure was not compromised. Similarly, no “unmasked financial data” was exposed during the cyber attack.

“Canada Goose is aware that a historical dataset relating to past customer transactions has recently been published online. At this time, we have no indication of any breach of our own systems,” it claimed.

Canada Goose says it was still verifying the authenticity of the released customer records and the scope of the data breach. However, it reiterated its commitment to protecting customer information and said it will take appropriate steps to protect the victims.

“At this time, we have no indication of any breach of our own systems. We are currently reviewing the newly released dataset to assess its accuracy and scope and will take any further steps as may be appropriate,” Canada Goose stated.

Nevertheless, the retailer did not say how the threat actor obtained the legacy customer records or whether they demanded a ransom. It also remains unclear whether Canada Goose plans to notify impacted customers and when the notification emails will start hitting their inboxes.

Meanwhile, the threat actor claims to have breached a third-party payment service, underscoring the risk posed by vendor partnerships.

“Canada Goose is trying to shift the blame for the breach to a third-party vendor,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “Ultimately, however, customers didn’t knowingly give their information to a vendor. They gave it to Canada Goose, so the buck stops with Canada Goose. Luckily, the information in the breached dataset can’t be directly used to steal money or break into accounts. Instead, breach victims should be on the lookout for targeted phishing messages.”

Ransomware group ShinyHunters strikes again

The Canada Goose data breach comes hot on the heels of a vicious vishing campaign by ShinyHunters targeting the identity management company Okta and impacting investment firm Betterment, streaming website SoundCloud, and business intelligence platform CrunchBase.

Since October 2024, ShinyHunters has leveraged voice phishing (vishing) to compromise SaaS products and exfiltrate troves of personal information.

“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” explained Google Threat Intelligence Group.

Most notably, the hacking group breached Salesforce to compromise dozens of organizations by tricking employees into authorizing a rogue OAuth Python-based Data Loader application.