What Happened
Gap Inc. experienced a data breach that was initially discovered on July 22, 2025, when the company detected a network disruption. The breach exposed sensitive personal information including names, Social Security numbers, driver’s license or state ID numbers, medical information, and health insurance information belonging to an undetermined number of individuals. The incident was publicly announced in early October 2025 by the cybercriminal group ShinyHunters (also referred to as “Scattered LAPSUS$ Hunters”), who demanded a ransom and threatened to release the stolen data. The breach involved approximately 1GB of data, and Gap Inc. began notifying affected individuals with data breach notification letters starting on November 28, 2025, offering complimentary credit monitoring services to those impacted.
