Computerworld

Kathmandu hacker may have captured customer credit card data

Retailer reveals details of data breach

ASX- and NZX-listed clothing and camping equipment retailer Kathmandu has revealed that an “unidentified third party” may have had access to its online ecommerce website for over a month.

In a statement released to the two exchanges, Kathmandu said that during the period 8 January to 12 February “the third party may have captured customer personal information and payment details entered at check-out”.

“As soon as Kathmandu became aware of this incident, it took immediate steps and confirmed that the Kathmandu online store is and remains secure,” the company’s statement said.

It said that its broader IT environment, including the systems employed by Kathmandu's physical stores, was not affected by the breach.

Kathmandu said it had been working closely with external cyber security consultants to “fully investigate the circumstances of the incident and confirm which customers may have been impacted.”

The company said it would notify potentially affected customers directly and that it was in the process of notifying law enforcement agencies and privacy regulators.

“Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable,” said CEO Xavier Simonet.

“As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted.”

Kathmandu didn’t reveal technical details of the breach. However, security vendor Symantec has noted the growing popularity of ‘formjacking’, which typically involves embedding malicious JavaScript code in online payment pages.

Formjacking allows the transparent capture of card details. High profile corporations including Ticketmaster and British Airways have fallen victim to the technique.

The retail sector is yet to make it into the top five industry sectors for data breaches in the statistics released by the Office of the Australian Information Commissioner. The OAIC releases quarterly statistics on incidents reported to it as part of Australia’s Notifiable Data Breaches (NDB) scheme.