Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 28, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	To effectively assess, identify, and manage material risks from cybersecurity threats, the Company maintains a cyber risk management program, which is led by our Chief Information Security Officer and Vice President of Infrastructure Services and Supply Chain Systems (the “CISO”). The CISO reports to the Executive Vice President, Chief Information & Technology Officer (the “CITO”), who in turn reports to the CEO. The Company has implemented the following processes to assess, identify, and manage material risks from cybersecurity threats: •Annual audits, by an independent third party, of the Company’s cybersecurity framework under the National Institute for Standards and Technology (“NIST”) cybersecurity framework; •Penetration tests conducted by a third-party; •Simulation of attacks on the Company’s systems by third-parties to test the Company’s systems and protections; •“Table-top” simulation exercises involving the Company’s management and its third-party consultants and advisors to simulate a cyber incident and the Company’s response to that incident, pursuant to the Company’s Incident Response Plan; and •Payment card industry (“PCI”) audits to assess the Company’s processing of credit card transactions pursuant to standards adopted by the PCI. In addition, to mitigate material risks from cybersecurity threats, the Company has implemented various controls, including, but not limited to, the following: •Intrusion prevention controls (such as network segmentation and firewalls); •Access controls (such as identity and access management and multi-factor authentication on critical applications and systems); •Detection controls (such as endpoint threat detection and response, and logging and monitoring involving the use of a third-party for security information and event management, with reports and alerts provided by the third-party to the CISO’s team); and •Threat protection controls (such as mandatory cyber-threat training and simulated phishing campaigns with employees, vendor management programs, and vulnerability and patch management). The Company has integrated its processes for assessing, identifying, and managing material risks from cybersecurity threats into its overall risk management framework, including through coordination with the Company’s internal leader of Enterprise Risk Management, and through quarterly reporting to the Company’s Audit Committee. Cybersecurity threats, including as a result of any previous cybersecurity incidents incurred either by us or third parties, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, except as disclosed in the risk factor titled “Our systems, and those of our third-party vendors, contain personal information and payment data of our retail store and eCommerce customers, and other third parties could be breached, which could subject us to adverse publicity, costly government enforcement actions or private litigation, and expenses” in Part I, Item 1A, “Risk Factors”. The Company has also implemented processes for overseeing and identifying risks from cybersecurity threats associated with its use of third-party service providers. For example, the Company has implemented the following: •Vendor onboarding processes including a Privacy Impact Assessment and a Cyber Security and Compliance Questionnaire; and •Enrollment of each vendor in a third-party risk monitoring tool that alerts the CISO’s team should that vendor’s security posture change.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	The Company has integrated its processes for assessing, identifying, and managing material risks from cybersecurity threats into its overall risk management framework, including through coordination with the Company’s internal leader of Enterprise Risk Management, and through quarterly reporting to the Company’s Audit Committee.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	The Audit Committee of the Board of Directors oversees risks from cybersecurity threats, including through quarterly reports to the Audit Committee by the Company’s CISO and CIO and, as needed, special reports to the Audit Committee and/or the Chairperson of the Audit Committee. The Audit Committee includes members with technology and cybersecurity experience and certifications, including a Committee member with over 28 years of experience working for Hewlett Packard Enterprise Company and a Committee member with a Computer Emergency Readiness Team (“CERT”) Certificate in Cybersecurity Oversight issued by the CERT Division of the Software Engineering Institute at Carnegie Mellon University and completion of the National Association of Corporate Directors Master Course in Cybersecurity.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	he Audit Committee of the Board of Directors oversees risks from cybersecurity threats
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	including through quarterly reports to the Audit Committee by the Company’s CISO and CIO and, as needed, special reports to the Audit Committee and/or the Chairperson of the Audit Committee.
Cybersecurity Risk Role of Management [Text Block]	Management plays an integral role in assessing and managing the Company’s material risk from cybersecurity risks. The assessment and management of those risks is led by the Company’s CISO, who has over 20 years of experience working in information technology, including over 10 years specifically focused on information security, infrastructure, and strategy, and the Company’s CIO, who has over 30 years of experience in Retail, Consumer Products, Merchandising, and IT, of which 16 years have been in leadership roles, and implemented by the CISO’s team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, processes and operations. The CISO and CIO lead quarterly meetings of the Company’s Security Executive Steering Committee (the “Steering Committee”), which is composed of the Company’s CFO, General Counsel, and CIO. The Steering Committee drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting. The Company’s management maintains and implements a written Incident Response Plan, which is reviewed and updated on an annual basis and includes an Incident Response Plan Executive Committee consisting of the Company’s CIO, CISO, and General Counsel. In addition, members of the CISO’s and CIO’s teams monitor the Company’s systems and processes and promptly report incidents as required under the Incident Response Plan, including, but not limited to, reporting to the appropriate members of management and, as needed, the Audit Committee.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	The assessment and management of those risks is led by the Company’s CISO, who has over 20 years of experience working in information technology, including over 10 years specifically focused on information security, infrastructure, and strategy, and the Company’s CIO, who has over 30 years of experience in Retail, Consumer Products, Merchandising, and IT, of which 16 years have been in leadership roles, and implemented by the CISO’s team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, processes and operations.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	The assessment and management of those risks is led by the Company’s CISO, who has over 20 years of experience working in information technology, including over 10 years specifically focused on information security, infrastructure, and strategy, and the Company’s CIO, who has over 30 years of experience in Retail, Consumer Products, Merchandising, and IT, of which 16 years have been in leadership roles, and implemented by the CISO’s team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, processes and operations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	In addition, members of the CISO’s and CIO’s teams monitor the Company’s systems and processes and promptly report incidents as required under the Incident Response Plan, including, but not limited to, reporting to the appropriate members of management and, as needed, the Audit Committee.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 28, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

To effectively assess, identify, and manage material risks from cybersecurity threats, the Company maintains a cyber risk management program, which is led by our Chief Information Security Officer and Vice President of Infrastructure Services and Supply Chain Systems (the “CISO”). The CISO reports to the Executive Vice President, Chief Information & Technology Officer (the “CITO”), who in turn reports to the CEO.

The Company has implemented the following processes to assess, identify, and manage material risks from cybersecurity threats:

•Annual audits, by an independent third party, of the Company’s cybersecurity framework under the National Institute for Standards and Technology (“NIST”) cybersecurity framework;

•Penetration tests conducted by a third-party;

•Simulation of attacks on the Company’s systems by third-parties to test the Company’s systems and protections;

•“Table-top” simulation exercises involving the Company’s management and its third-party consultants and advisors to simulate a cyber incident and the Company’s response to that incident, pursuant to the Company’s Incident Response Plan; and

•Payment card industry (“PCI”) audits to assess the Company’s processing of credit card transactions pursuant to standards adopted by the PCI.

In addition, to mitigate material risks from cybersecurity threats, the Company has implemented various controls, including, but not limited to, the following:

•Intrusion prevention controls (such as network segmentation and firewalls);

•Access controls (such as identity and access management and multi-factor authentication on critical applications and systems);

•Detection controls (such as endpoint threat detection and response, and logging and monitoring involving the use of a third-party for security information and event management, with reports and alerts provided by the third-party to the CISO’s team); and

•Threat protection controls (such as mandatory cyber-threat training and simulated phishing campaigns with employees, vendor management programs, and vulnerability and patch management).

The Company has integrated its processes for assessing, identifying, and managing material risks from cybersecurity threats into its overall risk management framework, including through coordination with the Company’s internal leader of Enterprise Risk Management, and through quarterly reporting to the Company’s Audit Committee. Cybersecurity threats, including as a result of any previous cybersecurity incidents incurred either by us or third parties, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition, except as disclosed in the risk factor titled “Our systems, and those of our third-party vendors, contain personal information and payment data of our retail store and eCommerce customers, and other third parties could be breached, which could subject us to adverse publicity, costly government enforcement actions or private litigation, and expenses” in Part I, Item 1A, “Risk Factors”.

The Company has also implemented processes for overseeing and identifying risks from cybersecurity threats associated with its use of third-party service providers. For example, the Company has implemented the following:

•Vendor onboarding processes including a Privacy Impact Assessment and a Cyber Security and Compliance Questionnaire; and

•Enrollment of each vendor in a third-party risk monitoring tool that alerts the CISO’s team should that vendor’s security posture change.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Audit Committee of the Board of Directors oversees risks from cybersecurity threats, including through quarterly reports to the Audit Committee by the Company’s CISO and CIO and, as needed, special reports to the Audit Committee and/or the Chairperson of the Audit Committee. The Audit Committee includes members with technology and cybersecurity experience and certifications, including a Committee member with over 28 years of experience working for Hewlett Packard Enterprise Company and a Committee member with a Computer Emergency Readiness Team (“CERT”) Certificate in Cybersecurity Oversight issued by the CERT Division of the Software Engineering Institute at Carnegie Mellon University and completion of the National Association of Corporate Directors Master Course in Cybersecurity.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

he Audit Committee of the Board of Directors oversees risks from cybersecurity threats

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

including through quarterly reports to the Audit Committee by the Company’s CISO and CIO and, as needed, special reports to the Audit Committee and/or the Chairperson of the Audit Committee.

Cybersecurity Risk Role of Management [Text Block]

Management plays an integral role in assessing and managing the Company’s material risk from cybersecurity risks. The assessment and management of those risks is led by the Company’s CISO, who has over 20 years of experience working in information technology, including over 10 years specifically focused on information security, infrastructure, and strategy, and the Company’s CIO, who has over 30 years of experience in Retail, Consumer Products, Merchandising, and IT, of which 16 years have been in leadership roles, and implemented by the CISO’s team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, processes and operations. The CISO and CIO lead quarterly meetings of the Company’s Security Executive Steering Committee (the “Steering Committee”), which is composed of the Company’s CFO, General Counsel, and CIO. The Steering Committee drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting.

The Company’s management maintains and implements a written Incident Response Plan, which is reviewed and updated on an annual basis and includes an Incident Response Plan Executive Committee consisting of the Company’s CIO, CISO, and General Counsel. In addition, members of the CISO’s and CIO’s teams monitor the Company’s systems and processes and promptly report incidents as required under the Incident Response Plan, including, but not limited to, reporting to the appropriate members of management and, as needed, the Audit Committee.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The assessment and management of those risks is led by the Company’s CISO, who has over 20 years of experience working in information technology, including over 10 years specifically focused on information security, infrastructure, and strategy, and the Company’s CIO, who has over 30 years of experience in Retail, Consumer Products, Merchandising, and IT, of which 16 years have been in leadership roles, and implemented by the CISO’s team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, processes and operations.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

In addition, members of the CISO’s and CIO’s teams monitor the Company’s systems and processes and promptly report incidents as required under the Incident Response Plan, including, but not limited to, reporting to the appropriate members of management and, as needed, the Audit Committee.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true