An unidentified third-party has breached Kathmandu’s website and potentially accessed customers’ personal information and payment details, the outdoor retailer revealed on Wednesday.
The business was alerted to the breach, which took place between January 8 and February 12, 2019, through bank fraud monitoring.
A Kathmandu spokesperson told IRNZ that the business is currently investigating how many customers are affected by the breach, but that it remains an ongoing process.
“Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable,” Kathmandu chief executive Xavier Simonet said.
“As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who many have been impacted.”
The business has enlisted the help of external IT and cyber security experts to assist in investigating the circumstances, and to confirm which customers have been impacted.
While the financial impact of the incident is still unclear, the dual-listed retailer saw its stock price fall 0.8 per cent after the announcement, to $2.42 per share.
A growing concern
A recent report by CERT NZ said over 3445 businesses and individuals reported cyber security issues in New Zealand in 2018, a 205 per cent increase on the previous year’s figure of 1131.
“We’ve seen criminals rapidly modifying their tactics to extort money and information,” CERT NZ director Rob Pope said.
“These efforts are paying off – in the last quarter of last year New Zealanders reported losses of over $5.9 million, and more than $14 million overall in 2018.”
The largest category of incidents was phishing and credential harvesting – the act of amassing information about the end-user of a business, or an individual (such as passwords, usernames, financial information), for later reuse – with 1550 such incidents taking place across the year.
Businesses bore 35 per cent of the $14.1 million cost of cyber security issues in 2018. It is not surprising that the vast majority of cyber security threats affect individuals, since when businesses such as Kathmandu are breached and their customer data is exposed, the criminal parties gain access to a large amount of personal data.
