Kathmandu Holdings suffered a data breach compromising customers’ personal information

• Kathmandu learned that an unauthorized third-party gained illegal access to the Kathmandu website between January 8, 2019, and February 12, 2019.
• Upon learning the incident, Kathmandu has hired leading external IT and cybersecurity consultants to investigate the incident.

What is the issue - New Zealand-based outdoor clothing and equipment retailer Kathmandu Holdings suffered a data breach impacting customers’ personal information.

What happened - Kathmandu learned that an unauthorized third-party gained illegal access to the Kathmandu website between January 8, 2019, and February 12, 2019, and got hold of customers’ personal information.

What was compromised - The compromised information includes customers’ billing and shipping names, shipping addresses, email addresses, phone numbers, payment card details, pickup/delivery details, gift card details, and Kathmandu Summit Club usernames and passwords.

However, the outdoor retailer confirmed that its physical stores were not impacted by the incident.

What were the immediate actions taken?

• Upon learning the incident, Kathmandu took immediate measures to secure its website and online store.
• Kathmandu has hired leading external IT and cybersecurity consultants to investigate the incident.
• The outdoor retailer has reset the passwords of all Kathmandu Summit accounts that might have been impacted by the incident.
• It is notifying the potentially affected customers and requesting them to contact their payment card providers.
• It has notified the law enforcement authorities including the Information Commissioner's Office in the UK, the Office of the Australian Information Commissioner (OAIC), the New Zealand Privacy Commissioner, the Australian Cyber Crime Online Reporting Network and the New Zealand Police.

“Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable. As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologize to any customers who may have been impacted,” Xavier Simonet, CEO of Kathmandu Holdings, said, as noted in the official security incident notification.