The Liquor Control Board of Ontario (LCBO), a Canadian government enterprise and the country’s largest beverage alcohol retailer, revealed that unknown attackers had breached its website to inject malicious code designed to steal customer and credit card information at check-out.
LCBO revealed on Wednesday that third-party forensic investigators found a credit card stealing script that was active on its website for five days.
“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” LCBO said.
“Unfortunately, customers who provided personal information on our check-out pages and proceeded to our payment page on LCBO.com between January 5, 2023, and January 10, 2023, may have had their information compromised.”
While the malicious script was active on the retailer’s website, the attackers could harvest various personal and financial information submitted by customers during the check-out process.
This includes customers’ names, email and mailing addresses, credit card information, Aeroplan numbers, and LCBO.com account passwords.
LCBO added that customers who used the mobile app or the vintagesshoponline.com online store to make orders were not affected.
The company is still investigating the incident and is working on identifying all customers affected by this data breach.
The attack was discovered on January 10, when LCBO warned that its website and mobile app were no longer available without explaining why they were taken down.
One day later, the Canadian retailer revealed that the app and the LCBO.com website were offline because of a “cyber incident” being investigated.
On January 12, two days after the breach was detected, LCBO issued a detailed statement revealing the nature of the attack and its impact on customers who used the online store and the mobile app while the credit card skimmer was active.
The government-controlled company employs more than 8,000 people and operates 680 retail stores and five regional warehouse facilities.
It’s also a wholesaler to 450 grocery stores and provides wholesale support for 18,000 bars and restaurants.
In web skimming (also known as Magecart) attacks like the one that affected LCBO’s customers, threat actors inject JavaScript-based scripts known as credit card skimmers (aka Magecart scripts, payment card skimmers, or web skimmers) into compromised online stores designed to steal payment and personal information.
The stolen info is later sold to other cybercriminals on hacking or carding forums or used in various identity theft or financial fraud schemes.