We have recently become aware that between 8 January 2019 NZDT and 12 February
2019 NZDT, an unidentified third party gained unauthorised access to our
website. During this process, the third party may have captured customer
personal information and payment details entered at check-out for potential
As soon as we became aware of this incident, we took immediate steps to
confirm that our online store and our wider IT environment was secure. Since
this time, we have been working closely with leading external IT and Cyber
Security consultants to fully investigate the circumstances of the incident
and confirm which customers may have been impacted.
Our number one focus has been to clearly identify who has been (and rule out
who has not been) potentially affected by this incident and also identify
precisely what information is involved so we can meaningfully inform you about
how you may have been affected.
We are now in the process of directly notifying our customers who may have
been affected and informing them of the steps they can take in response to
We have notified the Information Commissioner's Office in the UK, the Office
of the Australian Information Commissioner, the New Zealand Privacy
Commissioner and reported the incident to the Australian Cyber Crime Online
Reporting Network and the New Zealand Police. We are also working alongside
agencies and regulators in other jurisdictions.
As an organisation, we attach a high value to our customer data and we take
the protection of our customers' data very seriously. We have been and will
continue to work with the relevant authorities and independent security
We have set up this webpage which contains answers to FAQS below.
We are deeply sorry for any disruption that this incident causes for our
customers. We are doing everything we can to ensure the ongoing security of
our systems to prevent this type of incident occurring again in the future.
Frequently asked questions
Q: Have I been affected?
A: We are in the process of directly notifying all customers who may
have been affected by the incident.
If you did not receive an email or letter from us, but believe that you
purchased items from our online store between 8 January 2019 NZDT and 12
February 2019 NZDT*, please contact us to confirm if you may have been
If you did not make a purchase a Kathmandu website between 8 January 2019 and
12 February 2019, this means that you are not affected by this incident.
*Due to time zone differences the date range may include 7 January 2019
(GMT) and end on 11 February 2019 (GMT).
Q: Why are you notifying me?
A: Our records show that you purchased from our website during the
period of potential exposure. We are notifying you so that you have the tools
you need to take steps to protect your information from any misuse in the
We take the protection of our customers' data very seriously and want to be
open and transparent with you about this incident.
Q: What information was impacted by this incident?
A: The personal information which could have been impacted by the
incident may include some or all of the following categories of information
(if provided by you):
billing and shipping name, address, email and phone number;
the credit/debit card details you provided to complete the purchase;
your Kathmandu Summit Club username and password;
special instructions relating to your order (including pick up/delivery
any gift card details.
Q: What actions do I need to take?
A: We have worked with Australia and New Zealand's leading national
identity and cyber support experts, IDCARE, to assess the risk of harm that
this incident may pose to you, as well as the steps that you can take to
prevent any potential misuse of your information.
Specific steps that all individuals should take:
Credit Card Information
If you used an Australian issued Visa, Visa Debit or Mastercard on our site
between 8 January 2019 and 12 February 2019, Visa and Mastercard may have
taken steps to block your card and have it reissued. If your card has not been
reissued, contact your bank for more information as soon as possible.
If you used another credit or debit card on our site between 8 January 2019
and 12 February 2019, we recommend that you review and continue to monitor
your financial and payment card account statements for any discrepancies or
unusual activity. Contact your financial institution if you have any concerns.
Kathmandu Summit Club and other online accounts
As part of our overall response to this incident, we have taken the
precautionary step to reset the passwords of all Kathmandu Summit Club
accounts impacted by the incident if the password had not already been reset
after 12 February 2019.
Although the Kathmandu Summit Club passwords impacted by this incident are not
visible in plain text, there is a risk that they can be decrypted. This would
allow third parties to potentially gain unauthorised access to your online
accounts where you use the same or similar password.
To prevent this from occurring, you should:
change all passwords that may have been identical or similar to the password
used to access your Kathmandu Summit Club account (such as email, social
media, online banking etc); and
remain vigilant around email, telephone and text-based scams.
Q: Is it safe to use Kathmandu's online store?
A: Yes. Our external IT and Cyber Security consultants have confirmed
that this incident only impacted Kathmandu's website between 8 January 2019
NZDT and 12 February 2019 NZDT.
Q: Has Kathmandu notified other regulatory agencies?
A: Yes. Where appropriate, Kathmandu has notified and will cooperate
with other international regulators, including the UK Information
Commissioner's Office and US based regulatory agencies.
Q: Who do I contact for more information?
A: Australia and New Zealand - We have worked with Australia and New
Zealand's leading national identity and cyber support experts, IDCARE, to
assess the risk of harm that this incident may pose to you, as well as the
steps that you could take to prevent any potential misuse of your information.
You can contact IDCARE via referral code KAT-IDC through either its
online Support Request Form (https://www.idcare.org/contact/get-help-now) or by calling 1300 432 273 (Aus) and 0800 201 415 (NZ) during business
hours (8:00am – 5:00pm M-F AEST).
United States and Canada - You can contact our information line by
calling 1-866-775-4209, Monday through Friday from 8:00am to 5:30pm Central
Time for more information and support.
European Union, Norway and Switzerland - You can contact our
information line by calling +44 (0) 333 103 8653 24 hours a day, 7 days a week
for more information and support.
Rest of world – You can contact our information line by calling +44 (0)
333 103 8653 24 hours a day, 7 days a week for more information and support.