Credit cards cancelled as Kathmandu reveals online store hacked

ASX-listed global outdoors wear and equipment retailer Kathmandu has disclosed it suffered a data breach during the peak post-holidays sales period that saw customers' personal and payments information captured.

"Kathmandu has recently become aware that between 8 January 2019 NZDT and 12 February 2019 NZDT, an unidentified third party gained unauthorised access to the Kathmandu web platform. 

"During this period, the third party may have captured personal information and payment details entered at check-out," the company said in a statement to the Australian Securities Exchange.

The retailer could not say how many customers are affected.

Online transactions at Kathmandu represent 9.4 percent of the group's sales according to its latest annual report.

The document says the company earmarked $2.9 million in capital investment for upgrades to its online platform and CRM system, calling out a three year roadmap for technology
projects  that also include a new warehouse management
system and upgraded ERP system.

Kathmandu runs the Magento e-commerce platform for its site that has been targeted by criminals planting card-skimming malware on unpatched servers over the past few years.

Information that was accessed include customers' billing and shipping name, address, email and phone number as well as the credit and debit card details they used on the site.

Customers' Kathmandu Summit Club username and password and special instructions for orders such as pick up and delivery details could also have been accessed, if they were provided during check-outs.

Users with Australian-issued Visa, Visa Debit or Mastercard that were used on the Kathmandu site when the hack took place may have been re-issued already and the compromised cards blocked, the retailer said.

If not, Kathmandu advised customers to contact their issuing banks for more information as soon as possible.

Customers who used other credit or debit cards on the Kathmandu site when it was compromised should monitor their statements for any discrepancies or unusual activity, and contact issuers with any concerns, the company said.

Passwords for customers in the Kathmandu Summit Club loyalty scheme impacted by the hack have been reset as they too were captured.

Kathmandu said the passwords "are not visible in plain text" but that there is a risk that they can be decrypted.

This could lead to customer accounts on other sites being compromised, if the passwords have been re-used, the company warned.

Kathmandu has also set up help lines (1300 432 273 for Australia, 0800 201 415 for NZ) and a support request form together with identity and cyber support company IDCARE.

US customers can contact 1-866-775-4209, and European Union, Norway and Switzerland residents +44 (0) 333 103 8653 for support around the hack.

The relevant privacy watchdogs in Australia, New Zealand, the UK have been notified of the data breach by Kathmandu. The hack has been reported to the Australian Cyber Crime Online Reporting Network and the New Zealand police.