What happened
Hackers linked to the ShinyHunters data extortion group have claimed responsibility for leaking more than 600,000 customer records belonging to Canada Goose. The group published a 1.67 GB dataset on its leak site containing detailed e-commerce order records, including customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and order histories. The dataset also included partial payment card information such as card brand and truncated card numbers, along with payment authorization metadata.Â
Canada Goose stated that the data appears to relate to historical customer transactions and said it has found no evidence that its own systems were breached. The company is reviewing the dataset to determine its scope and origin, while attackers claimed the data may have come from a third-party payment processor breach dating back to August 2025.Â
Who is affected
Customers of Canada Goose whose transaction data was included in the leaked dataset are affected, as exposed records contain personal details, order histories, and partial payment card information associated with past purchases.Â
Why CISOs should care
The exposure of historical transaction data through a suspected third-party service highlights ongoing risks in e-commerce ecosystems where payment processors and service providers store sensitive customer and transactional information.Â
3 practical actions
- Investigate third-party data exposure. Review integrations with payment processors and external vendors that handle customer transaction data.
- Monitor leaked datasets. Analyze published records to determine whether customer or enterprise data was included.
- Strengthen vendor security oversight. Ensure service providers implement appropriate controls to protect customer transaction information.