15 March 2019

What’s happened?
Outdoor clothing and equipment retailer, Kathmandu reported on Wednesday that a third party had gained unauthorised access to its website.
A Kathmandu statement reveals that the unidentified party accessed the site between 8 January 2019 and 12 February 2019, and may have captured customer personal information and payment details during this time.
Personal information entered by customers on the website may have been impacted, including:
  • billing and shipping name, address, email and phone number;
  • credit/debit card details to complete a purchase;
  • Kathmandu Summit Club usernames and passwords;
  • special instructions relating to orders (including pick up/delivery details); and
  • any gift card details.
Kathmandu is investigating the incident to identify what information was involved in the breach. They are also in the process of notifying customers who may have been affected, with advice on steps they can take to protect their personal information from any future misuse.

Does it affect me?
Kathmandu is directly notifying all customers by email or letter who may have been affected. If you have not received an email or letter but believe that you purchased items from their online store between 8 January and 12 February, you should contact Kathmandu to confirm if you have been affected.
If you did not make a purchase from a Kathmandu website during this time, you are not affected by this incident.

How do I stay safe?
  • If you used an Australian issued Visa, Visa Debit or Mastercard on the Kathmandu site during the breach period, Visa and Mastercard may have taken steps to block your card and have it reissued. If you have been affected and your card has not been reissued, contact your bank for more information as soon as possible.
  • For other credit or debit cards used on the site during the breach timeframe, it is recommended that you review and continue to monitor your accounts and financial statements for any unusual activity.
  • If you have a Kathmandu Summit Club account, and use a similar or identical password on other accounts (such as your social media, banking or email accounts), you should change these passwords. As a precautionary measure, Kathmandu has reset the passwords of all Kathmandu Summit Club accounts impacted by this incident. Stay Smart Online also recommends using different passwords across your important accounts.

More information
Kathmandu is working closely with IDCARE, Australia and New Zealand’s leading national identity and cyber support service, in response to this incident. If you have, or think you’ve been affected, you can contact IDCARE via referral code KAT-IDC through either its online Support Request Form (//www.idcare.org/contact/get-help-now) or by calling 1300 432 273 during business hours (8:00am – 5:00pm M-F AEST).
Read more on Protecting your personal information – including what to do if your identity is stolen.
Find out where to get help if you believe you have become a victim of a scam.

The information provided here is of a general nature. Everyone’s circumstances are different. If you require specific advice you should contact your local technical support provider.
Feedback
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

Disclaimer
This information has been prepared by the Australian Cyber Security Centre (‘the ACSC’). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.