Go to top of page

Kathmandu customer data breach

Priority Level: 
15 March 2019

What’s happened

Outdoor clothing and equipment retailer Kathmandu reported on Wednesday that a third party had gained unauthorised access to its website.

A Kathmandu statement reveals that the unidentified party accessed the site between 8 January 2019 and 12 February 2019, and may have captured customer personal information and payment details during this time.

Personal information entered by customers on the website may have been impacted, including:

  • billing and shipping name, address, email and phone number
  • credit or debit card details used to complete a purchase
  • Kathmandu Summit Club user names and passwords
  • special instructions relating to orders (including pick up/delivery details)
  • any gift card details.

Kathmandu is investigating the incident to identify what information was involved in the breach. They are also in the process of notifying customers who may have been affected, with advice on steps they can take to protect their personal information from any future misuse.

Does it affect me?

Kathmandu is directly notifying all customers by email or letter who may have been affected. If you have not received an email or letter but believe that you purchased items from their online store between 8 January and 12 February, you should contact Kathmandu to confirm whether you have been affected.

If you did not make a purchase from a Kathmandu website during this time, you are not affected by this incident.

How do I stay safe?

  • If you used an Australian-issued Visa, Visa Debit or Mastercard on the Kathmandu site during the breach period, Visa and Mastercard may have taken steps to block your card and have it re-issued. If you have been affected and your card has not been re-issued, contact your bank for more information as soon as possible.
  • For other credit or debit cards used on the site during the breach timeframe, it is recommended that you review and continue to monitor your accounts and financial statements for any unusual activity.
  • If you have a Kathmandu Summit Club account, and use a similar or identical password on other accounts (such as your social media, banking or email accounts), you should change these passwords. As a precautionary measure, Kathmandu has reset the passwords of all Kathmandu Summit Club accounts impacted by this incident. Stay Smart Online also recommends using different passwords across your important accounts.

More information

Kathmandu is working closely with IDCARE, Australia and New Zealand's leading national identity and cyber support service, in response to this incident. If you have, or think you’ve been affected, you can contact IDCARE via referral code KAT-IDC through either their online support request form or by calling 1300 432 273 during business hours (8:00am – 5:00pm Monday-Friday AEST).

Read more on Protecting your personal information – including what to do if your identity is stolen.

Find out where to get help if you believe you have become a victim of a scam.