Canada’s Largest Booze Supplier Hacked by Credit Card Thieves

The Liquor Control Board of Ontario (LCBO), the state-run alcoholic beverage supplier of Canada’s largest province, has told the public that hackers embedded malware into its website to steal credit card information gathered during the checkout process.

The LCBO sells drinks throughout the province of Ontario. It operates 677 stores and employs more than 8,000 staff, registering net income of over CAD 2.5 billion as of 2021.

In a notice posted to its media center, the organization reveals a recent cybersecurity incident.

“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” reads the announcement.

Classic Magecart

Threat actors likely exploited an unpatched vulnerability or misconfiguration in the site’s backend and deployed malware designed to intercept transaction data, including credit card information, during checkout.

Magecart attacks, as they’re commonly referred to in infosec, are designed to harvest card data to then send it to an attacker-controlled server.

People who shopped on lcbo.com between Jan. 5 and Jan. 10 are told they “may have had their information compromised.”

While cyber forensics experts sift through the event logs, the LCBO says hackers may have taken “names, email and mailing addresses, Aeroplan numbers, LCBO.com account password, and credit card information.”

The incident did not affect orders placed through the company’s mobile app or vintagesshoponline.com, according to the notice.

LCBO is now working to identify the customers impacted so that it can communicate with them directly.

Clients told to monitor their card statements

The company advises customers who used LCBO.com during this time window to monitor their credit card statements and report any suspicious transactions to their credit card issuer.

The retailer has taken some customer-facing matters into its own hands, such as resetting all LCBO.com account passwords. Registered customers are prompted to renew their password on login.

Since the attackers also got their hands on personally identifiable information, LCBO customers should also be wary of incoming phishing emails or other scams leveraging their personal details.

Bitdefender Digital Identity Protection scans the web for unauthorized leaks of your personal data, monitoring whether your accounts are exposed and making it easy to take action before disaster strikes.