More than 600,000 Canada Goose customer records, including personal and partial payment information, have been leaked online, according to claims made by the data extortion group ShinyHunters. The company acknowledges a historical dataset relating to past customer transactions has been published, but maintains its systems have not been breached.
The data surfaced on February 14 via ShinyHunters’ leak site, with the group advertising the availability of over 600,000 records containing personally identifiable information and payment details, as reported by The Register. Canada Goose spokesperson Alexander Thomson confirmed the company is aware of the published dataset. “At this time, we have no indication of any breach of our own systems,” Thomson stated. “We are currently reviewing the newly released dataset to assess its accuracy and scope, and will take any further steps as may be appropriate.”
Samples of the leaked data, reviewed by BleepingComputer, are in JSON format and contain detailed e-commerce order records. These records include customer names, email addresses, phone numbers, billing and shipping addresses, IP addresses, and order histories. The data similarly includes partial payment card information, such as card brand, the last four digits of card numbers, and, in some instances, the first six digits (BIN) and payment authorization metadata.
Canada Goose asserts that its review has not revealed evidence of unmasked financial data being compromised. However, security researchers note that even partial payment information poses a risk of phishing and fraud through targeted social engineering attacks. Cybernews reports the leaked data appears to originate from transactions between 2021 and 2023.
ShinyHunters, a well-known data extortion group, has been linked to numerous recent data breaches, including incidents involving Panera Bread, Canva, and Okta. According to TechRadar, the group has a history of targeting companies and leaking customer data for financial gain.
While Canada Goose maintains the data stems from past transactions and does not indicate a current system compromise, the company has not disclosed how the historical dataset was originally obtained or the identity of any potential third-party processors involved. The company, headquartered in Toronto, operates a manufacturing facility in Montreal.
Canada Goose has stated it is committed to protecting customer information and is taking steps to assess the impact of the leaked data. The company did not respond to questions from the Journal in French, according to a report from Quebec’s Journal de Montréal.
