Kathmandu website hack siphons $2580 from customer
AN Auckland man who shopped on Kathmandu’s website over two months ago had more than $2500 swiped from his bank account during the retailer’s data breach.
The NZXlisted retailer began notifying affected customers by email on Wednesday, letting them know its New Zealand website had been affected by a security breach running from January 8 and February 12 and that their personal details had been compromised.
It warned customers about unusual transactions and recommended they change their passwords.
Doug Hunt, a semiretired IT professional with a background in AI and machine learning, said $2581.72 was taken from his credit card account on February 15.
A second fraudulent transaction was caught by his bank and blocked. He had since cancelled the credit card.
Mr Hunt said he found out about the breach from ANZ, which said it was likely the fraudulent activity was a result of his card’s details having been taken from a website he had recently used.
He last made a purchase on Kathmandu’s website on January 8 — it was his first time using the website.
Although he eventually got the money back, Mr Hunt said he was appalled it took Kathmandu a month to put out a notice addressing the data breach.
‘‘Why did they wait a month to let us know?
‘‘All they’ve said is: ‘We’ve been hacked, we’re sorry’.’’
He said he was careful with his details and did not autosave his personal or bank account details.
‘‘From the letter, it looks as though someone had hacked in and was siphoning off data time, which is quite a sophisticated way of doing it.’’
He believed the breaches were happening in real time because websites did not get to see or save the threedigit CVC code entered during transactions, meaning someone would have to be accessing the information as he was entering it.
A Kathmandu spokeswoman said the retailer told customers about the breach as soon as it ‘‘practically could’’.
‘‘We were alerted by our bank very recently that they had carried out an investigation following an increase of fraudulent activity and suspected that our website had been potentially compromised. We then immediately commenced a forensic investigation which took a few days to find anything at fault,’’ she said.
‘‘The unidentified third party likely gained unauthorised access to the website through an unknown vulnerability that was subsequently potentially exploited to capture personal and payment details during the checkout page.’’ — The New Zealand Herald