More people have come forward claiming fraudulent activity on their credit cards following retailer Kathmandu's month-long website data breach.

Property finance consultant Garrick Wynne says $10,000 was spent fraudulently on his credit card at a US sporting goods retailer - around a month after he made a purchase on Kathmandu's website.

READ MORE:Kathmandu website hack costs customer $2580

Wynne was notified by his bank around one month before Kathmandu began sending out emails to customers, notifying them about its data breach and to change their passwords.


When he was first contacted by Kiwibank he did not think much about it.

"I rang the bank after a week or so and asked what was going on, just thinking I was over my limit or something, and they said 'Oh no, your card has been stopped because there was some [suspicious] transactions put through," he said.

Wynne says the bank cancelled his card following the suspicious activity and he had since lost access to credit.

He said he does not understand why it took Kathmandu a month to notify customers that its website had been compromised between January 8 and February 12.

He sent an email to Kathmandu on the same day he received acknowledgement of the breach, voicing his thoughts on the situation.

He also floated the idea of compensation but has not heard back from the retailer.

"Kathmandu haven't accepted much responsibility for the huge amount of stress and inconvenience they've caused people. They've now gone dumb-silent and it took them so long to notify there was a breach."

Wynne is not alone in reporting suspicious activity on his credit card linked to purchases made on Kathmandu's website in the past two months.


Since the Herald published a story last week on another Auckland man who had $2500 spent fraudulently on his credit card and another transaction blocked after shopping on Kathmandu's website, six other people have been in touch with similar stories.

One man said he had a $6000 luxury hotel bill and $3000 in luxury items in America slapped on his credit card after he shopped with Kathmandu during the time of its website hack.

"I tried to contact Kathmandu but they made it very difficult and just gave a link to an IT security advisory agency and me being an ex-IT manager I thought they were pretty poor," he said.

"Kathmandu will not get anymore of my business as they only just notified customers [one month later], an absolute disgrace."

A woman who contacted the Herald said multiple suspicious transactions on her card had been reversed, and another man who wished to remain anonymous said it was not good enough Kathmandu took so long to notify shoppers about the hack.

If Kathmandu had been quicker off the mark at advising people to block their credit cards, I wouldn't have been ripped off.

The man made a purchase from Kathmandu on January 12 and on March 3 noticed a $580 transaction made on his card, through travel booking site, a site he was unfamiliar with.

The transaction was not able to be reversed, he said.

"If Kathmandu had been quicker off the mark at advising people to block their credit cards, I wouldn't have been ripped off. Even more annoying — since I'll probably never get my money back — is the other personal information the hacker's got hold of."

A Kathmandu spokesman told the Herald the company had notified customers as soon as it could.

It said unauthorised activity on its site ceased when Kathmandu upgraded to the latest version of Magento Enterprise Edition protection software.

In a statement, Kathmandu said it was satisfied it had "identified all potentially affected customers" and taken steps to directly contact the individuals.

"Kathmandu has worked as quickly as possible to identify which customers had been potentially impacted by the incident. Kathmandu provided notice as soon as it was reasonably able to provide clear and concise guidance and support."

It will not offer compensation to customers effected by the breach, the spokesman said.