Canada Goose Data Breach Exposes Names, Addresses and Partial Card Data

Retail data breach illustration
Breach Discovery: 1st August 2025Breach Notification: 1st February 2026

What Happened in the Canada Goose Data Breach?

In February 2026, a dataset containing information tied to Canada Goose customers appeared publicly online. The Canada Goose data breach came to light after researchers discovered the leaked records being circulated. As a result, the exposure was flagged and confirmed as genuine customer data rather than a hoax.

According to Canada Goose, the data appears to relate to past customer transactions. The company stated that the information originated from a breach at a third-party vendor. That incident reportedly occurred in August 2025. Interestingly, the most recent transaction date found within the leaked dataset is July 2025, which suggests the exposed records span a period before the breach was even detected.

Because the breach happened at a third party, Canada Goose’s own internal systems were not directly compromised. However, the company still had to investigate how a vendor holding its customer data was infiltrated. This kind of third-party exposure is increasingly common, since retailers often rely on outside processors and marketing partners to handle customer records. The investigation into the scope and cause of the incident remains ongoing.

Who was affected?

The Canada Goose data breach affected a large number of the brand’s customers. The leaked dataset reportedly contains around 920,000 records, with roughly 582,000 unique email addresses among them. This means many individuals may have multiple records tied to their name if they made several purchases over time.

Because the data relates to past customer transactions, the people affected are likely individuals who purchased Canada Goose products, either online or possibly through affiliated retail channels. At this time, the exact geographic breakdown of affected customers has not been publicly disclosed. Given Canada Goose’s global customer base, it is reasonable to assume the exposure may include customers in the United States as well as other countries.

What Information Was Potentially Exposed?

The exposed dataset reportedly includes a range of personal and transactional details. This combination of data types raises real concerns, since it goes beyond just an email address and touches on financial and contact information.

  • Names
  • Email addresses
  • Phone numbers
  • Physical addresses
  • IP addresses
  • Device information
  • Purchase history
  • Partial credit card data (card type and last four digits)

Although the credit card information appears to be partial rather than complete, the exposure still creates risk. For instance, attackers often combine partial card details with other stolen data to make phishing attempts appear more convincing. Someone receiving a scam email referencing their real purchase history and the last four digits of their card may be far more likely to trust it.

In addition, the exposure of full names, phone numbers and physical addresses together increases the risk of targeted scams. Fraudsters could use this information to impersonate Canada Goose customer service or shipping providers. Because the data includes purchase details, criminals may craft messages that reference specific orders, making the scam attempts feel legitimate and increasing the chance a victim responds.

What is the company doing?

Canada Goose has acknowledged that the data appears to relate to past customer transactions and has attributed the source of the exposure to a third-party vendor breach. As a result, the company has been working to understand exactly how the vendor’s systems were compromised and what data was taken. This kind of review typically involves coordinating with the third party directly to confirm the scope of the incident.

Beyond the initial acknowledgment, Canada Goose will likely need to notify affected customers directly, particularly those in jurisdictions with breach notification laws. Additionally, the company may need to review its vendor relationships and data-sharing practices going forward. Retailers facing similar incidents often reassess which third parties have access to sensitive customer information and tighten security requirements as a follow-up step.

What Should Affected Individuals Do?

Monitor Your Credit Reports

Anyone who has shopped with Canada Goose should consider checking their credit reports for unusual activity. Even though the exposed card data is only partial, combined with other personal details, it could still be used in fraud attempts.

You can request free credit reports from the major credit bureaus and review them for accounts or inquiries you don’t recognize. Doing this regularly, rather than just once, helps catch suspicious activity early before it grows into a larger problem.

Watch for Phishing and Scam Attempts

Because names, emails, phone numbers and purchase history were exposed, affected individuals should be especially cautious of unexpected messages referencing Canada Goose orders. Scammers often use real details to make phishing emails or texts look authentic.

If you receive a message claiming to be from Canada Goose asking you to click a link or confirm payment information, avoid clicking it. Instead, go directly to the official Canada Goose website or contact their customer service through verified channels to confirm whether the message is legitimate.

Consider a Fraud Alert or Credit Freeze

Since partial credit card data was included in the breach, it may be worth placing a fraud alert on your credit file. This makes it harder for anyone to open new credit accounts in your name without extra verification.

For added protection, a credit freeze restricts access to your credit report entirely. Although freezing your credit involves a few extra steps when you want to apply for new credit yourself, it provides strong protection against identity theft stemming from stolen personal data.

Update Passwords and Enable Extra Security

If you used the same password for your Canada Goose account elsewhere, now is a good time to change it. Because IP addresses and device information were also part of the exposure, attackers may attempt to use this data to impersonate your device or location during login attempts.

Enabling two-factor authentication wherever possible adds another layer of protection. This means that even if someone obtains your password, they would still need a second verification step to access your account.

Stay Informed About Your Rights

Affected individuals should keep an eye out for any official communication from Canada Goose regarding the breach. This may include details about available protections or next steps.

If you believe you have suffered harm as a result of this exposure, consulting a data breach attorney can help you understand your options. An attorney can evaluate whether you may be eligible for compensation and guide you through the process at no upfront cost during a free case evaluation.



Related Data Breaches