Full Report
In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses and partial credit card data, specifically card type and last 4 digits. Canada Goose advised that the data "appears to relate to past customer transactions" and stated that it originated from a breach at a third party in August 2025. The most recent transaction date in the data is July 2025.
Analysis Summary
# Incident Report: Canada Goose Third-Party Supply Chain Breach
## Executive Summary
In February 2026, a dataset containing approximately 920,000 records belonging to Canada Goose customers was leaked publicly on a hacking forum. The breach originated from a third-party service provider in August 2025, exposing personal identification information (PII) and partial financial data of over 581,000 unique users. Canada Goose has confirmed the data relates to historical transactions, with the most recent entry dated July 2025.
## Incident Details
- **Discovery Date:** February 17, 2026 (Public leak)
- **Incident Date:** August 2025
- **Affected Organization:** Canada Goose (via unnamed third-party vendor)
- **Sector:** Retail / Luxury Apparel
- **Geography:** Global (Headquartered in Canada)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2025
- **Vector:** Third-party compromise (Supply Chain)
- **Details:** Attackers breached a third-party vendor used by Canada Goose to manage or store customer transaction data.
### Lateral Movement
- **Details:** Specific lateral movement techniques within the third-party environment were not disclosed; however, the attackers gained sufficient access to export historical transaction databases.
### Data Exfiltration/Impact
- **Details:** Approximately 920,000 records were exfiltrated. The data includes transactions up to July 2025, suggesting a "snapshot" of historical customer data was taken during the August breach.
### Detection & Response
- **Discovery:** The incident came to light when the data was published publicly on a leak site in February 2026.
- **Response Actions:** Canada Goose launched an investigation into the leaked data, verified its authenticity, and linked the origin to the August 2025 third-party incident.
## Attack Methodology
- **Initial Access:** Exploitation of a third-party vendor's security vulnerabilities (Supply Chain Attack).
- **Collection:** Automated or manual extraction of customer transaction databases.
- **Exfiltration:** Data was moved from the third-party environment to attacker-controlled infrastructure.
- **Impact:** Public release of PII and partial financial data for 581,911 unique email addresses.
- *Note: Specific technical details regarding Persistence, Privilege Escalation, and Defense Evasion were not disclosed in the public report.*
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/PIPEDA) and costs associated with forensic investigations.
- **Data Breach:** Exposure of 581,911 unique email addresses, names, phone numbers, physical addresses, IP addresses, and device info.
- **Operational:** Management of incident response and third-party risk reassessment.
- **Reputational:** High-profile public leak of "luxury" customer data, potentially impacting brand trust.
## Indicators of Compromise
- **Network indicators:** None disclosed.
- **File indicators:** Database export files (920k records).
- **Behavioral indicators:** Large-scale unauthorized data egress from third-party transaction systems in August 2025.
## Response Actions
- **Containment:** Third-party vendor supposedly secured the environment post-August 2025.
- **Eradication:** Canada Goose is investigating the scope of the leak to ensure no further data remains at risk.
- **Recovery:** Public disclosure and confirmation of the breach source to inform affected customers.
## Lessons Learned
- **Supply Chain Vulnerability:** Dependence on third-party vendors for transaction processing introduces significant risk outside the primary organization’s direct control.
- **Delayed Detection:** The gap between the actual breach (August 2025) and public discovery (February 2026) highlights a failure in third-party monitoring and incident notification.
- **Data Minimization:** Historical transaction data remained accessible; stricter data retention or masking policies could have reduced the impact.
## Recommendations
- **Third-Party Risk Management (TPRM):** Conduct rigorous security audits of all vendors handling customer PII.
- **Encryption:** Ensure that even in a breach, sensitive fields (like partial credit card info and addresses) are encrypted at rest.
- **Egress Monitoring:** Implement anomaly detection to alert on large data transfers from vendor environments.
- **Notification Requirements:** Mandate in vendor contracts that any suspected breach must be reported to the primary organization within 24–48 hours.