On 15 February 2026, ShinyHunters published 581,877 customer records attributed to Canada Goose. The data included names, email addresses, phone numbers, billing and shipping addresses, partial payment card data, and detailed order histories. Canada Goose issued a statement the same day: “Canada Goose is aware that a historical dataset relating to past customer transactions has recently been published online. At this time, we have no indication of any breach of our own systems.”
Twenty-four days later, on 11 March 2026, the data extortion group Coinbasecartel listed Canada Goose on their leak portal. The claimed data type was entirely different: not customer records, but internal supply chain data — vendors, suppliers, logistics. Canada Goose issued no statement.
Two threat actors. Two distinct datasets. Two different upstream sources. In both cases, the vendor at the centre of the incident has not been publicly named.
The ShinyHunters Incident
ShinyHunters told BleepingComputer that the Canada Goose dataset originated from a breach at a third-party payment processor, with data dated to August 2025. The breach of that processor, by ShinyHunters' account, was unrelated to any single-sign-on compromise — a distinction they made to separate this operation from their concurrent campaigns.
Canada Goose's response confirmed the data existed and acknowledged it related to customer transactions, while asserting that its own systems were not directly compromised. The company added that its investigation found no evidence that unmasked financial data was involved — a reference to the partial card data in the dump, which included card brand, last four digits, and in some cases the first six digits (BIN), but not full card numbers.
Have I Been Pwned recorded the breach at 581,877 accounts. The data fields were granular: IP addresses, device and browser fingerprints, payment authorisation metadata, and order values alongside the personal identifiers. For a threat actor, this provides targeting material well beyond what names and email addresses alone would enable.
What Canada Goose's response did not do was name the payment processor. This matters — not because customers can pursue the processor directly, but because other organisations using the same processor have no way of knowing they may be exposed to the same dataset. The first public signal that anything had happened was ShinyHunters listing the data themselves, six months after the original August 2025 compromise.
Coinbasecartel: The Group and the Claim
Coinbasecartel emerged in September 2025, announcing itself with 14 victims in its first month. By April 2026, ransomware.live recorded 132 victims across 17 industries. The group operates exclusively through data exfiltration — no encryption, no operational disruption to the target. Their model is theft, public listing, and escalating pressure: a 48-hour response window followed by a 10-day negotiation period, Bitcoin-only payment.
Their leak portal displays revenue estimates, industry tags, and status markers — “ACTIVE” or “LEAKED” — with sample uploads released at chosen points in the negotiation as pressure. Bitdefender ranked the group among their top ten ransomware-adjacent groups in September and December 2025. The distinguishing characteristic is what the model removes rather than what it adds: no encryption payload, no lateral movement once the data is out, and no operational disturbance that would force a target to engage with incident response in the way a ransomware deployment would. The pressure is entirely reputational and legal, carried by the portal listing itself.
In October 2025, security researchers noted infrastructure overlaps and contact-pattern similarities with ShinyHunters, suggesting possible affiliation. Bitdefender reported the hypothesis but stated the connection “has not yet been validated beyond contacts or infrastructure hints.” It remains unconfirmed.
Canada Goose's listing on 11 March 2026 carries the description: “We have all their supply chain data.” No samples have been disclosed. Status remains active.
The March 11 Cluster
Canada Goose was not the only listing that day. Ransomware.live shows Lacoste and Staples were also posted on 11 March 2026. Then on 12 April 2026, Ralph Lauren, Carters, and Helzberg appeared — another same-day batch, again fashion and retail-heavy.
Threat actors batch their listings for operational reasons: negotiations run in parallel, public pressure is concentrated, and multiple simultaneous listings signal to the market that a particular sector or vendor ecosystem has been accessed. When two competing luxury fashion brands — Canada Goose and Lacoste — appear on the same day with claims of supply chain data, the most likely explanation is a shared vendor.
Canada Goose and Lacoste have no meaningful overlap in customer base, geography, or retail strategy. What luxury fashion brands do tend to share is upstream infrastructure: product lifecycle management platforms, international freight and customs brokers, third-party logistics providers, or ERP systems with fashion-specific supply chain modules. Any of these would hold the vendor lists, supplier contracts, and logistics data that Coinbasecartel claims to have obtained. A single compromise at one of those shared platforms could surface as separate listings against multiple brands, each announced as though the brand itself had been the target. From outside, the listings read as unrelated incidents. From the threat actor's side, they are the same operation.
The identity of that vendor has not been established. No statement from Lacoste has surfaced publicly. Canada Goose has addressed neither the Coinbasecartel listing nor the co-listing pattern.
If your organisation shares supply chain infrastructure with consumer brands, a Corporate Audit maps which of your vendors have been listed by extortion groups — before you find out through a listing of your own.
Talk to an AnalystWhat “Not Our Systems” Actually Costs
The standard third-party deflection — “our own systems were not breached” — is accurate as far as it goes. Canada Goose's February statement appears to reflect a genuine factual position: the payment processor was the point of compromise, not Canada Goose's own infrastructure. This is a meaningful distinction in legal and regulatory terms.
It is not, however, the full picture that downstream parties need.
When a payment processor is breached and a brand names neither the processor nor the scope of other organisations using it, every other client of that processor remains unaware. Their fraud teams are not on alert. Their own incident response processes are not triggered, because no one told them there was an incident.
The ShinyHunters breach of the payment processor occurred in August 2025. The data was published in February 2026 — six months later. In those six months, there was no public disclosure that reached other processor clients. The result is that organisations sharing the same processor had no opportunity to act on the compromise before the data was already circulating.
The Coinbasecartel scenario adds a different dimension. Supply chain data — vendor lists, supplier agreements, logistics partners, pricing and sourcing arrangements — does not affect end customers in the way that order histories do. Its exposure is felt by the suppliers themselves, who may now appear in a threat actor's dataset without any notification from the brand whose supply chain they service.
The Ecosystem Question
The unconfirmed ShinyHunters–Coinbasecartel affiliation is worth tracking, not asserting. What can be observed is that both groups operate identically in model: data theft without encryption, public shaming portals, escalating timelines, and a preference for high-revenue targets. ShinyHunters is the more established operation; Coinbasecartel appears to be expanding into supply chain and industrial data, sectors where ShinyHunters has historically focused less.
If the infrastructure overlap researchers identified reflects actual coordination, then access gained through a payment processor could have provided intelligence on a target's vendor relationships — information that feeds a subsequent supply chain campaign. The 24-day gap between Canada Goose's two listings is consistent with that sequence. It does not confirm it.
What the timeline does confirm is that Canada Goose was assessed, listed, and exposed by two separate groups with two separate data types within a month. The first time, they responded. The second time, they did not.
The Response Gap
Canada Goose's February statement followed a defensible structure: acknowledge the publication, deny direct breach, attribute to a third party, confirm no unmasked financial data. It was issued the same day as initial press coverage, suggesting prepared communications protocols were in place.
The March silence is harder to read from the outside. Organisations sometimes choose not to comment on extortion group listings on the basis that engagement validates the claim or signals willingness to negotiate. There is logic to that in certain circumstances.
The difficulty is that a supply chain listing affects a different category of stakeholder than a customer data listing. Suppliers, logistics partners, and procurement contacts at counterparty brands have no independent means of assessing the risk without some signal from the organisation whose supply chain data is claimed. Silence protects the brand's public position. It does not protect the vendors in the claimed dataset.
Canada Goose is a publicly listed company with $1.3 billion in annual revenue. The external record — two listings in 24 days, one statement, one silence, no vendor named in either case — does not in itself confirm a security failure at Canada Goose. What it confirms is opacity in the surrounding ecosystem. For the organisations operating within that supply chain, and for the security teams charged with tracking third-party risk, opacity is the problem that has to be worked around.