Kathmandu says its online customers may have had their details captured after the outdoor clothing retailer's website was breached earlier this year.
"An unidentified third party gained unauthorised access to the Kathmandu website platform" between January 8 and February 12, the company said in a statement to ASX on Wednesday.
"During this period, the third party may have captured customer personal information and payment details entered at check-out," it said.
Kathmandu said it would notify potentially affected customers but that its online shop was now secure and its physical stores unaffected.
The dual-listed New Zealand-based company was working with cyber security consultants to investigate the incident and confirm which customers were affected.
News that makes sense
Your trusted source for staying up-to-date with the world around you. Get free daily news updates and analysis, straight to your inbox.
"Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable," chief executive officer Xavier Simonet said.
"As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted."
The company's shares fell 11 cents after it issued its statement but rebounded soon after, trading flat at $2.36 at 1410 AEDT on Wednesday.
