Retailer Kathmandu Holdings is warning customers their personal and payment details may have been compromised after a breach of security on the company's website.
The company didn't specify how many customers it thought might be affected.
It told the stock exchange in a statement on Wednesday it was "urgently investigating" a security incident with its online trading websites.
"Kathmandu has recently become aware that between 8 January 2019 NZDT and 12 February 2019 NZDT, an unidentified third party gained unauthorised access to the Kathmandu website platform," it said.
"During this period, the third party may have captured customer personal information and payment details entered at check-out."
Kathmandu is a substantial business, generating revenues in the order of half a billion dollars a year. It says online sales account for nearly 10% of the total.
The company said as soon as it became aware of the security breach it took immediate steps and confirmed that the Kathmandu online store is and remains secure.
"The wider IT environment including all Kathmandu physical stores were not impacted by this incident. Since this time, Kathmandu has been working closely with leading external IT and Cyber Security consultants to fully investigate the circumstances of the incident and confirm which customers may have been impacted."
The company said it was notifying potentially affected customers directly. Kathmandu advises any customer who believes they may have been impacted to contact their banks or credit card providers and follow their recommended advice.
The company is in the process of notifying the relevant privacy and law enforcement agencies.
Kathmandu chief executive Xavier Simonet said that while the independent forensic investigation is ongoing, the company was notifying customers and relevant authorities as soon as practicable.
"As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted.”