13 March 2019
We have recently become aware that between 8 January 2019 NZDT and 12 February 2019 NZDT, an unidentified third party gained unauthorised access to our website. During this process, the third party may have captured customer personal information and payment details entered at check-out for potential fraudulent use.
As soon as we became aware of this incident, we took immediate steps to confirm that our online store and our wider IT environment was secure. Since this time, we have been working closely with leading external IT and Cyber Security consultants to fully investigate the circumstances of the incident and confirm which customers may have been impacted.
Our number one focus has been to clearly identify who has been (and rule out who has not been) potentially affected by this incident and also identify precisely what information is involved so we can meaningfully inform you about how you may have been affected.
We are now in the process of directly notifying our customers who may have been affected and informing them of the steps they can take in response to this incident.
We have notified the Information Commissioner's Office in the UK, the Office of the Australian Information Commissioner, the New Zealand Privacy Commissioner and reported the incident to the Australian Cyber Crime Online Reporting Network and the New Zealand Police. We are also working alongside agencies and regulators in other jurisdictions.
As an organisation, we attach a high value to our customer data and we take the protection of our customers' data very seriously. We have been and will continue to work with the relevant authorities and independent security experts.
We have set up this webpage which contains answers to FAQS below.
We are deeply sorry for any disruption that this incident causes for our customers. We are doing everything we can to ensure the ongoing security of our systems to prevent this type of incident occurring again in the future.
Frequently asked questions
Q: Have I been affected?
A: We are in the process of directly notifying all customers who may have been affected by the incident.
If you did not receive an email or letter from us, but believe that you purchased items from our online store between 8 January 2019 NZDT and 12 February 2019 NZDT*, please contact us to confirm if you may have been affected.
If you did not make a purchase a Kathmandu website between 8 January 2019 and 12 February 2019, this means that you are not affected by this incident.
*Due to time zone differences the date range may include 7 January 2019 (GMT) and end on 11 February 2019 (GMT).
Q: Why are you notifying me?
A: Our records show that you purchased from our website during the period of potential exposure. We are notifying you so that you have the tools you need to take steps to protect your information from any misuse in the future.
We take the protection of our customers' data very seriously and want to be open and transparent with you about this incident.
Q: What information was impacted by this incident?
A: The personal information which could have been impacted by the incident may include some or all of the following categories of information (if provided by you):
- billing and shipping name, address, email and phone number;
- the credit/debit card details you provided to complete the purchase;
- your Kathmandu Summit Club username and password;
- special instructions relating to your order (including pick up/delivery details); and
- any gift card details.
Q: What actions do I need to take?
A: We have worked with Australia and New Zealand's leading national identity and cyber support experts, IDCARE, to assess the risk of harm that this incident may pose to you, as well as the steps that you can take to prevent any potential misuse of your information.
Specific steps that all individuals should take:
Credit Card Information
If you used an Australian issued Visa, Visa Debit or Mastercard on our site between 8 January 2019 and 12 February 2019, Visa and Mastercard may have taken steps to block your card and have it reissued. If your card has not been reissued, contact your bank for more information as soon as possible.
If you used another credit or debit card on our site between 8 January 2019 and 12 February 2019, we recommend that you review and continue to monitor your financial and payment card account statements for any discrepancies or unusual activity. Contact your financial institution if you have any concerns.
Kathmandu Summit Club and other online accounts
As part of our overall response to this incident, we have taken the precautionary step to reset the passwords of all Kathmandu Summit Club accounts impacted by the incident if the password had not already been reset after 12 February 2019.
Although the Kathmandu Summit Club passwords impacted by this incident are not visible in plain text, there is a risk that they can be decrypted. This would allow third parties to potentially gain unauthorised access to your online accounts where you use the same or similar password.
To prevent this from occurring, you should:
- change all passwords that may have been identical or similar to the password used to access your Kathmandu Summit Club account (such as email, social media, online banking etc); and
- remain vigilant around email, telephone and text-based scams.
Q: Is it safe to use Kathmandu's online store?
A: Yes. Our external IT and Cyber Security consultants have confirmed that this incident only impacted Kathmandu's website between 8 January 2019 NZDT and 12 February 2019 NZDT.
Q: Has Kathmandu notified other regulatory agencies?
A: Yes. Where appropriate, Kathmandu has notified and will cooperate with other international regulators, including the UK Information Commissioner's Office and US based regulatory agencies.
Q: Who do I contact for more information?
A: Australia and New Zealand - We have worked with Australia and New Zealand's leading national identity and cyber support experts, IDCARE, to assess the risk of harm that this incident may pose to you, as well as the steps that you could take to prevent any potential misuse of your information.
You can contact IDCARE via referral code KAT-IDC through either its online Support Request Form (https://www.idcare.org/contact/get-help-now) or by calling 1300 432 273 (Aus) and 0800 201 415 (NZ) during business hours (8:00am – 5:00pm M-F AEST).
If you have any further questions after reading these FAQs, please email us at [email protected].