The company said in a notice to the Australian Stock Exchange that it became aware of the breach between 8 January and 12 February.
Kathmandu uses the Magento e-commerce platform which has suffered numerous breaches over the years. Last year, the site of the smartphone company, OnePlus, which also runs Magento, was compromised.
Magento is owned by Abobe which it bought for US$1.68 billion in 2018. A study by security firm Trustwave in 2016 said Magento was "the e-commerce target of choice for hackers, with Magento installations accounting for 85% of compromised e-commerce systems".
The company said in the statement that an unidentified third party had breached its website and may have stolen personal information of customers and credit card details.
Kathmandu is notifying customers who are potentially affected and advised those who feared they had been affected to contact their banks or credit card providers for advice on what they should do.
Chief executive Xavier Simonet said: "While the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable.
"As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologise to any customers who may have been impacted."