Kathmandu cops it after hack
Sluggish reveal of website breach cost us, say customers
More people have come forward claiming fraudulent activity on their credit cards following retailer Kathmandu’s month-long website data breach.
Property finance consultant Garrick Wynne says $10,000 was spent fraudulently on his credit card at a US sporting goods retailer — around a month after he made a purchase on Kathmandu’s website.
Wynne was notified by his bank around one month before Kathmandu began sending out emails to customers, notifying them about its data breach and to change their passwords.
When he was first contacted by Kiwibank he did not think much about it.
“I rang the bank after a week or so and asked what was going on, just thinking I was over my limit or something, and they said ‘Oh no, your card has been stopped because there was some [suspicious] transactions put through,” he said.
He does not understand why it took Kathmandu a month to notify customers that its website had been compromised between January 8 and February 12.
He emailed Kathmandu on the same day he received acknowledgement of the breach, voicing his thoughts on the situation. He also floated the idea of compensation but has not heard back from the retailer.
“Kathmandu hasn’t accepted much responsibility for the huge amount of stress and inconvenience they’ve caused people. They’ve now gone dumb-silent and it took them so long to notify there was a breach.”
Wayne is not alone in reporting suspicious activity on his credit card linked to purchases made on Kathmandu’s website in the past two months.
Since the Herald ran a story last week on another Aucklander who had $2500 spent fraudulently on his credit card and another transaction blocked after shopping on Kathmandu’s site, four other people have related similar stories.
One man said he had a $6000 luxury hotel bill and $3000 in luxury items in America slapped on his credit card after he shopped with Kathmandu during the time of its website hack.
“I tried to contact Kathmandu but they made it very difficult and just gave a link to an IT security advisory agency and me being an ex-IT manager, I thought they were pretty poor,” he said. “Kathmandu will not get any more of my business as they only just notified customers [one month later], an absolute disgrace.”
A woman who contacted the Herald said multiple suspicious transactions on her card had been reversed, and another man who wished to remain anonymous said it was not good enough that Kathmandu took so long to notify shoppers about the hack.
The man made a purchase from Kathmandu on January 12 and on March 3 noticed a $580 transaction made on his card, through travel booking site gotogate.co.nz, a site he was unfamiliar with. The transaction was not able to be reversed, he said.
“If Kathmandu had been quicker off the mark at advising people to block their credit cards, I wouldn’t have been ripped off. Even more annoying — since I’ll probably never get my money back — is the other personal information the hacker’s got hold of.”
A Kathmandu spokesman told the Herald the company had notified customers as soon as it could. It said unauthorised activity on its site ceased when Kathmandu upgraded to the latest version of Magento Enterprise Edition protection software.
In a statement, Kathmandu said it was satisfied it had “identified all potentially affected customers” and taken steps to directly contact the individuals.
“Kathmandu has worked as quickly as possible to identify which customers had been potentially impacted by the incident. Kathmandu provided notice as soon as it was reasonably able to provide clear and concise guidance and support.”
It would not compensate those affected, the spokesman said.