An Auckland man who shopped on Kathmandu's website over two months ago had more than $2500 swiped from his bank account during the retailer's data breach.
The NZX-listed retailer yesterday began notifying affected customers by email, letting them know its New Zealand website had been affected by a month-long security breach running from January 8 and February 12 and that their personal details had been compromised.
READ MORE: • Kathmandu investigating data security breach
It warned customers about unusual transactions and recommended that they change their passwords.
Doug Hunt, a semi-retired IT professional with a background in AI and machine learning, says $2581.72 was taken from his credit-card account on February 15.
A second fraudulent transaction was caught by his bank and blocked. He has since cancelled the credit card.
Hunt says he found out about the breach from ANZ who said the fraudulent activity was likely a result of his card's details taken from a website he had recently used.
He last made a purchase on Kathmandu's website on January 8 - it was his first time using the website. Though he eventually got the money back, Hunt says he is appalled it took Kathmandu a month to put out a notice addressing the data breach.
"Why did they wait a month to let us know?.
"All they've said is: 'We've been hacked, we're sorry'."
Hunt says he is always careful with his details and does not auto-save his personal or bank account details.
"From the letter, it looks as though someone had hacked in and was siphoning off data time which is quite a sophisticated way of doing it."
He believes the breaches were happening in real-time because websites do not get to see or save the three-digit CVC code entered during transactions, meaning someone would have to be accessing the information as he was entering it.
A Kathmandu spokesman said customers were told about the breach as soon as the retailer "practically could".
"We were alerted by our bank very recently that they had carried out an investigation following an increase of fraudulent activity and suspected that our website had been potentially compromised. We then immediately commenced a forensic investigation which took a few days to find anything at fault," she said.
"The unidentified third party likely gained unauthorised access to the website through an unknown vulnerability that was subsequently potentially exploited to capture personal and payment details during the check-out page."
The spokesman said unauthorised activity ceased when Kathmandu upgraded to the latest version of Magento Enterprise Edition protection software.
Hunt says he is worried by the potential for identity theft as hackers now have his name, phone number and address, among other details.
"I'm fairly experienced in this sort of stuff and it reiterates even experienced people get caught by this stuff - the onus is back on the website owner to make sure their security is up to scratch.
"If you're going to put an online website up it behoves you to put in the investment to make sure it is safe."
New Zealand does not have an organisation that assesses or monitors credit requests of people affected by data security breaches.
Hunt is unsure if he will shop online at Kathmandu again.