Kathmandu 'urgently' investigating incident potentially exposing customer info

Outdoor clothing retailer Kathmandu Holdings has confirmed it is currently conducting an "urgent" investigation into a security incident that it said may have captured the personal information of customers.

The company believes that an unidentified third party gained unauthorised access to the Kathmandu website platform.

The third party "may have" captured customer personal information and payment details entered at check-out, Kathmandu said.

The personal information which could have been impacted by the incident, Kathmandu said, may include billing and shipping name, address, email, and phone number; credit/debit card details; Kathmandu Summit Club username and password; special instructions relating to your order, such as pick up/delivery details; and any gift card details.

According to the company, the incident occurred somewhere between January 8 and February 12, 2019.

"As soon as Kathmandu became aware of this incident, it took immediate steps and confirmed that the Kathmandu online store is and remains secure," it wrote.

"Since this time, Kathmandu has been working closely with leading external IT and cybersecurity consultants to fully investigate the circumstances of the incident and confirm which customers may have been impacted."

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

The company said it has reset the passwords of all Kathmandu Summit Club accounts impacted by the incident if the password had not already been reset after February 12, 2019. 

The wider IT environment, which the company said includes its Kathmandu brick-and-mortar stores, were not impacted by the incident.

"As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted," CEO Xavier Simonet added in a statement issued to the Australian Securities Exchange.

Kathmandu is notifying potentially affected customers directly and said that Australian customers using a Visa or Mastercard card could have had their cards already blocked by their respective card issuers.

The company confirmed it had notified the Information Commissioner's Office in the UK, the Office of the Australian Information Commissioner (OAIC), and the New Zealand Privacy Commissioner, and reported the incident to the Australian Cyber Crime Online Reporting Network and the New Zealand Police. Kathmandu is also working alongside agencies and regulators in other jurisdictions, it said.

Australia's Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018, requiring agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information are involved in a data breach that is likely to result in "serious harm" as soon as practicable after becoming aware of a breach.

In the first year of operation, the OAIC received notification of 812 breaches, with around 269,621 separate cases of individuals having their personal information impacted as a result of a human error.

RELATED COVERAGE

Finger pointed at real estate recruiter after Australian CV leak

It has been reported that Sales Inventory Profile had a S3 bucket containing information on job applications appear online.

First National 'dealing with authorities' after reported information leak

Cover letters and CVs of job applicants have allegedly appeared online.

Emergency Warning Network confirms breach

Follows thousands of EWN customers receiving a bogus message via email, text, and landline late Saturday night.

PageUp confirms some data compromised in breach

The SaaS-based recruitment firm has confirmed some data was compromised in the recent malware attack it suffered.

5 ways to build your company's defense against a data breach before it happens (TechRepublic)

Data breaches can be chaotic and stressful episodes. Learn the most effective actions you can take to help plan for these turbulent events.

Eight reasons more CEOs will be fired over cybersecurity breaches (TechRepublic)

Security is everyone's problem, but CEOs should make sure their organisation doesn't block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation.