Last updated 1 month ago
Canada Goose, a premium outerwear retailer, experienced a customer data breach involving 920,000 records with 582,000 unique email addresses. The breach was publicly disclosed in February 2026, with the data originating from a third-party breach that occurred in August 2025. The compromised records contained customer transaction data with the most recent transaction dated July 2025.
The breach resulted from a supply chain attack targeting a third-party service provider, with the data exfiltration occurring in August 2025. The exposed data includes customer names, email addresses, phone numbers, IP addresses, physical addresses, and partial credit card information consisting of card type and last four digits. The breach affected historical customer transaction data rather than current systems.
Canada Goose confirmed the data appears to relate to past customer transactions and originated from the third-party breach. The company has not disclosed specific remediation measures taken following the breach notification.
Third-party data breach
This breach demonstrates critical third-party risk management failures in Canada Goose's supply chain, particularly inadequate vendor security assessments and monitoring of data handling by service providers. The exposure of partial payment card data alongside comprehensive personal information highlights insufficient data minimization practices and weak contractual security requirements for partners handling sensitive customer data.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector