Cyber Incident Victim: Kathmandu Holdings
Date:
Jan 2019
Location:
Australia
Summary
Kathmandu Holdings experienced unauthorized third-party access to its online store platform, potentially compromising customer data including billing and shipping details, payment card information, usernames, passwords, gift card data, and order-specific instructions. The retailer promptly secured its systems, engaged external cybersecurity experts for investigation, and confirmed physical stores remained unaffected. Impacted customers received direct notifications, with Australian Visa and Mastercard users potentially having cards preemptively blocked by issuers. Regulatory notifications were issued to privacy authorities in Australia, New Zealand, and the UK, alongside reports to cybercrime units and police. The company acknowledged potential customer harm and publicly apologized while emphasizing its commitment to data protection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Kathmandu Holdings, an outdoor clothing retailer, experienced a cybersecurity incident involving unauthorized access to its website platform by an unidentified third party between January 8 and February 12, 2019. The breach potentially exposed customer information entered during online checkout transactions over this five-week period. Compromised data categories included billing and shipping names, addresses, email addresses, and phone numbers; payment card details for credit and debit cards; Kathmandu Summit Club usernames and passwords; order-specific instructions such as pickup/delivery details; and gift card information. The company confirmed that its physical retail stores and broader IT infrastructure remained unaffected by the incident, with the breach limited to the e-commerce platform. Kathmandu detected the intrusion after the access period concluded and initiated an urgent investigation upon discovery.
The organization responded by immediately securing its online store and engaging external IT and cybersecurity consultants to investigate the breach's scope and identify affected customers. Kathmandu directly notified potentially impacted individuals and disclosed that Australian customers using Visa or Mastercard might have had their cards proactively blocked by financial institutions. Regulatory notifications were made to the UK Information Commissioner's Office, Australia's Office of the Australian Information Commissioner (OAIC), and New Zealand's Privacy Commissioner, alongside reports to law enforcement agencies including the Australian Cyber Crime Online Reporting Network and New Zealand Police. CEO Xavier Simonet issued a public apology through the Australian Securities Exchange, emphasizing the company's serious approach to data privacy. This incident occurred against the backdrop of Australia's Notifiable Data Breaches scheme, which had been operational for approximately one year prior to the breach disclosure, mandating notification requirements for incidents likely to cause serious harm.