Key Findings

• In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly.

• The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses, and partial credit card data.

• Canada Goose stated that the data "appears to relate to past customer transactions" and originated from a breach at a third party in August 2025.

• The most recent transaction date in the data is July 2025.

• Canada Goose denies its own systems were breached.

Background

Canada Goose is a Canadian luxury outerwear company best known for high-end, cold-weather jackets and parkas. Founded in 1957 and headquartered in Toronto, it has grown into a global fashion brand selling premium apparel through its own stores and wholesale partners worldwide.

The Data Breach

• In February 2026, the data extortion group ShinyHunters claimed responsibility for the breach and published over 600,000 Canada Goose customer records on its data leak site.

• The leaked data includes order information, such as names, emails, addresses, partial card data (brand, last four digits, some BIN numbers), and purchase history.

• Canada Goose stated that it did not suffer a security breach and that the leaked data seems tied to past customer transactions.

• The company is investigating the claims to determine the number of customers affected and will notify them accordingly.

Cybercrime Group Involvement

• Recently, the ShinyHunters group also claimed responsibility for the breach of the blockchain-based lending firm Figure.

• According to a Figure spokesperson, the incident allowed hackers to access and steal a limited number of files after an employee fell victim to a social engineering attack.

Sources

• https://haveibeenpwned.com/Breach/CanadaGoose

• https://securityaffairs.com/188046/data-breach/shinyhunters-leaked-600k-canada-goose-customer-records-but-the-firm-denies-it-was-breached.html