Canadian alcohol retail giant LCBO (Liquor Control Board of Ontario) has announced that "an unauthorized party has injected malicious code" into its website to steal customer information during the checkout process. Representatives of the company said that within five days in January, customer information "could have been compromised."
In fact, the infection occurred back in December, during an attack on the LCBO website that lasted more than a week. The company did not publicly report this attack.
LCBO is a state-owned enterprise and is currently one of the largest retailers and wholesalers of alcoholic beverages in the world. The company said last week that it was temporarily shutting down its website and app to investigate a "cybersecurity incident." According to the statement, all of the company's retail stores (680 stores) operate without risk to customer safety. External experts were brought in to resolve the incident.
“We are currently able to confirm that an unauthorized party has injected malicious code into our website. This code was designed to retrieve customer information during the checkout process,” LCBO said, adding that customer information provided on the checkout pages may have been “compromised.”
The stolen information included customer names, their email addresses, passwords, and card payment details. LCBO urged customers who made purchases during this time period to carefully review card payments and report suspicious transactions immediately.
The LCBO is currently identifying specific clients affected by the attack in order to communicate directly with them. The website and app are back up and running, but all account passwords have been reset. Over the past three months, the website has averaged more than 3 million monthly visits, of which 94% were from Canada and 3% from the US.
Tanium's Tim Morris said e-skimmer attacks have been around for years, but many retailers still haven't learned from the high-profile incidents involving Target and Ticketmaster.
“Many business owners are just running their business but don't have the technical expertise or resources to avoid these types of incidents,” Morris said. He added: “From a consumer perspective, it’s best to always use fraud-proof cards, virtual cards, and keep track of your purchases regularly.”
Magecart Overwatch found 1,520 unique malicious domains involved in infecting 9,290 e-commerce domains in 2022. Customer card data has been leaked from over 1,000 different organizations. In 2022, electronic skimmers led to 45.6 million compromised payment card entries being offered for sale on dark web platforms, according to researchers.