Canadian liquor distributor Liquor Control Board of Ontario (LCBO) has announced that a web skimmer injected into its online store was used to steal users’ personal data.
One of the largest liquor sellers in Canada, LCBO retails and distributes alcoholic beverages throughout the Ontario province, operating over 670 stores and employing more than 8,000 people.
Last week, the company abruptly took offline its online store and mobile application, only to later explain that it fell victim to a cyberattack in which a web skimmer was injected into LCBO.com.
“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” the retailer said.
According to LCBO, all individuals who provided their personal information on the online store’s check-out pages and made payments between January 5 and 10, 2023, are impacted.
The compromised personal information, the company says, includes names, addresses, email addresses, LCBO.com account passwords, Aeroplan numbers, and credit card information.
“This incident did not affect any orders placed through our mobile app or vintagesshoponline.com,” the company said.
The company did not share information on the number of impacted customers, but said that it disabled customer access to both the online store and mobile app as a precautionary measure, and that it also forced a password reset for all user accounts.
“LCBO.com and our mobile app have been restored and are fully operational. We have also reset all LCBO.com account passwords. Registered customers will be prompted to reset their password on login,” the company said.
Web skimmer attacks, also referred to as Magecart attacks, are typically the result of a misconfiguration or unpatched vulnerabilities that allow threat actors to inject information stealer malware into a website and harvest the information of unsuspecting users.
Magecart attacks have been around for years, with multiple groups operating under the umbrella and hundreds of online stores compromised to date. In 2019, a free service called URLscan.io was made available to help customers and retailers alike check for the presence of web skimmers.
Related: Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers
Related: Target Open Sources Web Skimmer Detection Tool
Related: Web Skimmer Injected Into Hundreds of Magento-Powered Stores
