ANDRI.BLOG
Privacy
7 min read

600,000 Customers Just Got Exposed — Here's How to Shop Online Without a Trace

The Canada Goose breach is a reminder that every online purchase creates a data trail. Here's how to minimize yours.

Last weekend, hackers from the ShinyHunters group leaked over 600,000 Canada Goose customer records — names, emails, and payment-related data from past transactions. Canada Goose says their own systems weren't breached, which probably means a third-party processor or marketing partner was the weak link.

That detail matters. You can be careful with who you buy from, but you have zero control over how many subcontractors touch your data after checkout.

Every time you buy something online, you're not just handing over money. You're creating a record — your name, address, email, phone number, card details, what you bought, when you bought it, sometimes even what you looked at before buying. That data gets stored, shared, analyzed, and eventually leaked.

So here's what I do to keep my shopping data trail as short as possible.

The Data You're Actually Handing Over

Most people think of online shopping as a simple exchange: money for product. But the actual data flow looks more like this:

  • Account details — name, email, phone, password
  • Payment data — card number, billing address, sometimes bank details
  • Shipping info — your physical address, delivery preferences
  • Behavioral data — what you browsed, how long you looked, what you abandoned in your cart
  • Device fingerprint — browser, OS, screen resolution, IP address

All of this gets stored. Some of it gets shared with payment processors, shipping companies, analytics providers, marketing platforms, and fraud detection services. Each one of those is a potential breach waiting to happen.

Under GDPR, companies need a legal basis to store all this, and you can request deletion. But let's be honest — by the time you hear about a breach, your data has already been copied, sold, or dumped on a forum.

Prevention beats cleanup.

Use Virtual Cards

This is the single most impactful thing you can do. Instead of giving every shop your real card number, use a virtual card that's unique per merchant.

Services I've used:

  • Revolut — Free virtual cards, disposable one-time cards on premium plans. Available across Europe.
  • Wise — Digital cards that work well for international purchases.
  • Privacy.com — US-focused, but worth mentioning. Lets you set spending limits per merchant.

The idea is simple: if a retailer gets breached, the attackers get a card number that only works at that one store. You freeze it, generate a new one, move on.

Some banks in Europe now offer virtual cards directly through their apps. Check yours — you might already have this option.

Stop Creating Accounts

I know, the "create an account for 10% off" popup is tempting. Don't do it. Every account is another database entry with your email, password hash (hopefully), and purchase history.

Guest checkout exists for a reason. Use it.

When guest checkout isn't available, I create an account with:

  • A unique email alias (I've written about this before)
  • A generated password from my password manager
  • Minimal profile info — no phone number, no birthday, no "preferences"

After the order arrives, I sometimes go back and delete the account entirely. GDPR gives you that right — use it. Most EU shops have account deletion somewhere in settings. If they don't, email them with a deletion request under Article 17.

Shipping Address Tricks

Your physical address is harder to protect than your email. A few options:

  • Parcel lockers — PostNord, DHL Packstation, InPost, and others let you receive packages at a locker near you. No home address needed.
  • Work address — If your workplace allows it, this keeps your home address out of another database.
  • PO boxes — Old school but effective.

I use parcel lockers for anything that isn't furniture. It's more convenient anyway — no waiting for the delivery driver.

Pay Without a Trail

For maximum privacy, some options go further than virtual cards:

  • Prepaid debit cards — Buy one with cash at a shop. Load it, use it online, throw it away. No link to your identity.
  • Cryptocurrency — Some European retailers accept it. Honestly, the UX is still terrible for everyday shopping, so I only use this for specific purchases.
  • PayPal — Not perfect, but it does hide your actual card number from the merchant. The merchant only sees your PayPal email. Use it with an alias email for decent separation.

The prepaid card approach is underrated. A €50 Visa gift card from a supermarket is practically anonymous.

Browser Hygiene While Shopping

Retailers track you before you even buy anything. Your browsing behavior feeds into pricing algorithms, retargeting ads, and customer profiles.

Basic steps:

  • Use a separate browser profile for shopping. I keep a Firefox profile that I only use for purchases. No social media cookies, no Google login, no cross-site tracking.
  • Use an ad blocker. uBlock Origin strips out most tracking scripts.
  • Clear cookies after purchases. Or use Firefox containers to isolate each shopping site automatically.
  • Don't click email links. When you get an order confirmation, go to the site directly instead of clicking the tracking link. Those links often go through marketing analytics first.

Loyalty Programs Are Surveillance Programs

Every loyalty card, points program, and "members-only deal" exists for one reason: to tie your purchases to your identity over time.

That purchase history is incredibly valuable. It tells retailers what you buy, how often, how price-sensitive you are, and what ads will work on you. It also becomes another dataset that can leak.

I skip loyalty programs entirely unless the savings are substantial and the company has a decent privacy track record. For groceries, where loyalty discounts are real, I use a card registered to a minimal profile — alias email, no phone number.

What to Do After a Breach

When a retailer you've shopped at gets breached (and it's when, not if):

  1. Freeze the card you used there. If it was a virtual card, just delete it.
  2. Change the password if you had an account. Then delete the account.
  3. Watch for phishing. Attackers now know you're a customer of that brand. They'll send convincing fake emails about "order issues" or "security updates."
  4. Check haveibeenpwned.com to see what data was exposed.
  5. File a GDPR complaint if the company didn't notify you properly. Your national data protection authority handles these — it's usually a simple online form.

The Realistic Version

I'm not going to pretend I do all of this for every purchase. For a €10 book, I'll use guest checkout with an email alias and call it done. For a €500 electronics order, I'll use a virtual card, parcel locker, and a throwaway account.

The point isn't perfection — it's reducing the blast radius. When the next breach hits (and the next one is always coming), you want your data to be as useless as possible to whoever stole it.

The Canada Goose leak affected 600,000 people who just wanted a jacket. That's a lot of names, emails, and payment details floating around because one company — or one of its partners — didn't secure a database properly.

You can't control that. But you can make sure the data they had on you was a virtual card that's already been deleted and an email alias that goes nowhere.

▸ TAGS
#privacy#shopping#data-breach#payment#personal-data
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES