Premium outerwear brand Canada Goose is investigating a potential customer data exposure after the hacking group ShinyHunters published a dataset it claims contains information tied to more than 600,000 customers.
The data allegedly stolen from the company, which surfaced on the hackers’ leak site, includes names, email addresses, phone numbers, billing and shipping addresses, order history, and partial payment card details such as card type and last four digits. ShinyHunters said the dataset weighs in at roughly 1.67GB and comes from Canada Goose customer records.
The customers affected individuals appear to be located in North America and Europe, according to The Register.
The hacking group told BleepingComputer that the data, which dates back to August 2025, originated from a breach of a third-party payment processor.
Canada Goose has acknowledged the claims but said it has not found evidence of a breach within its internal environment and is continuing to investigate the source of the data.
The company told BleepingComputer that the leaked data appears to be related to past customer transactions.
“At this time, we have no indication of any breach of our own systems. We are currently reviewing the newly released dataset to assess its accuracy and scope and will take any further steps as may be appropriate.”
“To be clear, our review shows no evidence that unmasked financial data was involved. Canada Goose remains committed to protecting customer information.”
The company has not yet confirmed how many customers are affected or whether notifications are being issued, saying the investigation is ongoing. For now, customers are being advised to remain alert for suspicious emails or messages that reference past orders or personal details.
Why Partial Data Exposure Still Poses CX Risks
While the dataset does not appear to include full payment card numbers, the exposure still creates customer experience risk.
Contact details combined with order confirmations, shipping addresses, and partial payment metadata are more than enough for malicious actors to carry out highly convincing phishing and social engineering campaigns, even when no financial credentials are directly compromised. Messages that reference a real purchase, delivery location, or payment method are far more likely to trick customers.
Purchase history, device and browser information, and order values provide the context that allows attackers to segment customers and target those who appear to be higher spenders or repeat buyers.
From a customer experience perspective, that means the most loyal and valuable customers may also be the most exposed to follow-on scams, increasing the risk of frustration, churn and brand damage well beyond the initial incident.
There’s also a perception challenge. Customers rarely differentiate between a brand’s internal systems and its partners or vendors. If their data shows up in a leak connected to Canada Goose, the expectation is that the brand owns the response. Slow notifications, vague explanations, or overly technical language can quickly erode trust, even if the breach originated elsewhere.
For CX leaders, incidents like this reinforce the need for clear, empathetic communication and proactive support. That can include plain-language explanations of what data was involved, guidance on spotting fraud that refers to past purchases, and reassurance that customer concerns are being taken seriously. As personalization has become a core CX strategy, the same data that enables better experiences can also magnify the fallout when something goes wrong.
The incident highlights a familiar tension. Even when brands avoid a direct breach, customers often see little distinction between first-party and third-party responsibility. If their data is involved, trust is on the line either way. Data stewardship, vendor oversight, and clear communication after security incidents are increasingly central to how customers judge brand reliability.
