Outdoor retail store warns customers that their card details may have taken a hike
New Zealand-based outdoor clothing and equipment store Kathmandu Holdings is investigating a data breach that may have resulted in customers’ personal details and payment information being compromised.
The security incident, which happened between January 8 and February 12 this year, impacted an unspecified number of online shoppers, the company said.
An unidentified third party accessed Kathmandu Holdings’ website platform and is believed to have taken personal information and payment details of some customers.
Information that may have been accessed includes billing and shipping addresses, email addresses, phone numbers, credit and debit card details, customer loyalty club usernames and passwords, and delivery instructions.
Kathmandu Holdings has said it is “urgently” investigating and has reset the passwords of the Kathmandu Summit Club customer club accounts.
None of the company’s 167 worldwide retail stores, including 118 in Australia, 48 in New Zealand, and one in the UK, have been affected.
CEO Xavier Simonet said: “Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable.
“As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted.”
Customers who are potentially impacted by the incident will be contacted directly, Kathmandu Holdings confirmed, but anyone who believes they have been affected is urged to contact their bank.
Although it isn’t clear how the hackers accessed the website’s platform, the information is believed to have been taken when details were entered on the checkout page.
This could point to the use of form-grabbing techniques, such as the widely-reported Magecart exploit which has so far targeted British Airways, Ticketmaster, Sotheby’s Home, and other retail websites.