Kathmandu Probes Possible Card Skimming Breach

Written by

New Zealand-based outdoor clothing retailer Kathmandu is urgently investigating a potential breach of customer card data harvested from its websites.

In a statement posted to the New Zealand Exchange (NZE), the firm said it was notifying potentially affected customers directly, advising them to contact their banks and card providers.

“Kathmandu has recently become aware that between January 8, 2019 NZDT and February 12, 2019 NZDT, an unidentified third party gained unauthorized access to the Kathmandu website platform,” it said. “During this period, the third party may have captured customer personal information and payment details entered at check-out.”

The firm claimed that its “wider IT environment” including all physical stores are not at risk, and has been working with third-party experts to determine what happened. The authorities have also been notified.

“Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable. As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologize to any customers who may have been impacted,” said CEO Xavier Simonet, in a statement.

Although it’s unclear exactly what happened at this stage, the fact that card data appears to have been taken from customers as details were entered in at check-out chimes with the MO of Magecart-based attacks.

The digital skimming code has been used on a growing number of e-commerce firms, inserted either directly into the sites or by infecting a supply chain partner.

There are thought to be multiple groups using the code to harvest full card details for onward sale on dark web sites. Card details for customers of BA and Newegg were found on underground sites just days after their respective breaches were discovered.

The latest Magecart group was uncovered in January after it infected a French advertising agency to compromise a content delivery network for ads.

What’s hot on Infosecurity Magazine?