Kathmandu Holdings is investigating a data security breach on one of its websites that lasted for about a month.
The outdoor equipment chain said it recently became aware that an unidentified third party gained access to its website platform between January 8 and February 12, and may have captured customer personal information and payment details.
An email to affected customers says:
"The personal information which could have been impacted by the incident may include • some or all of the following categories of information (if provided by you):
• billing and shipping name, address, email and phone number;
• the credit/debit card details you provided to complete the purchase;
• your Kathmandu Summit Club login username and password;
• special instructions relating to your order (including delivery/pick up details); and
• any gift card details."
The retailer is notifying customers it believes may have been affected, and is in the process of telling the relevant legal and privacy authorities.
Since discovering the breach, Kathmandu said it's confirmed the online store remains secure and that the wider IT network hasn't been impacted. The shares fell 0.8 per cent to $2.42.
"Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable," chief executive Xavier Simonet said in a statement.
"As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted."
Kathmandu's admission comes the same day Parliament's justice select committee reported back on the Privacy Bill, which will update legislation governing data breaches and empowers the Privacy Commissioner to issue compliance notices when the new law is enacted.
Among the changes in the report, the committee, chaired by Labour MP Raymond Huo, decided to raise the threshold needed for a notifiable privacy breach to one where it's likely to cause serious harm rather than harm.