Recently, Gap reported to the Attorney General of Vermont that it had experienced a data breach in which sensitive personal identifiable information and protected health information in its care may have been compromised. According to the breach notice, on July 22, 2025, Gap experienced a network disruption.1 As a result, Gap launched an investigation to determine the nature of the incident.
Through its investigation, Gap confirmed that sensitive personal information in its systems may have been accessed or acquired by an unauthorized third party during the breach. As a result, Gap began a review of the data to determine what information had been impacted as well as identify the specific individuals affected. While the information impacted varies depending on the individual, the type of information potentially exposed includes:
Name
Social Security number
Driver’s license or state ID number
Medical information
Health insurance information
On November 28, 2025, Gap began mailing data breach notification letters to impacted individuals. Based on the breach notice sent to Vermont residents, Gap is providing affected individuals with a list of the specific types of sensitive information impacted and complimentary credit monitoring services. A link to the breach notification letters that Gap filed with the Attorney General of Vermont is below.
Source: https://straussborrelli.com/2025/12/03/gap-international-data-breach-investigation/
Gap Inc. cybersecurity rating report: https://www.rankiteo.com/company/gap-inc-
"id": "GAP1764815006",
"linkid": "gap-inc-",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Apparel and Accessories',
'location': 'Global (HQ: San Francisco, '
'California, USA)',
'name': 'Gap Inc.',
'size': None,
'type': 'Retail Corporation'}],
'customer_advisories': 'Notification letters sent to affected '
'individuals with details of compromised '
'data and credit monitoring offers.',
'data_breach': {'data_encryption': None,
'data_exfiltration': 'Potential access or '
'acquisition by '
'unauthorized third party',
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes SSNs, '
'driver’s license '
'numbers, medical, and '
'health insurance '
'information)',
'type_of_data_compromised': ['Personally '
'Identifiable '
'Information (PII)',
'Protected Health '
'Information '
'(PHI)']},
'date_detected': '2025-07-22',
'date_publicly_disclosed': '2025-11-28',
'description': 'Gap reported a data breach to the Attorney '
'General of Vermont, where sensitive personal '
'identifiable information (PII) and protected '
'health information (PHI) may have been '
'compromised. The breach was detected following a '
'network disruption on July 22, 2025. An '
'investigation confirmed unauthorized access to '
'systems, potentially exposing names, Social '
'Security numbers, driver’s license/state ID '
'numbers, medical information, and health '
'insurance details. Notification letters were '
'mailed to affected individuals on November 28, '
'2025, offering complimentary credit monitoring '
'services.',
'impact': {'brand_reputation_impact': 'Potential negative impact '
'due to exposure of '
'sensitive PII/PHI',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': ['Name',
'Social Security number',
'Driver’s license/state ID '
'number',
'Medical information',
'Health insurance information'],
'downtime': None,
'financial_loss': None,
'identity_theft_risk': 'High (due to exposure of '
'SSNs, driver’s license '
'numbers, and health '
'information)',
'legal_liabilities': None,
'operational_impact': None,
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': None},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Completed (as of November 2025)',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': None},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'Attorney General of Vermont - Gap '
'Data Breach Notice',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'Notified '
'Attorney '
'General '
'of '
'Vermont'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Notification letters '
'mailed to affected '
'individuals on '
'2025-11-28, offering '
'complimentary credit '
'monitoring services.',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'Gap Data Breach Involving Sensitive Personal and '
'Health Information',
'type': ['Data Breach', 'Unauthorized Access']}}