An enterprise operated by the Canadian government and the nation’s largest alcoholic beverage retailer, The Liquor Control Board of Ontario (LCBO), recently revealed that anonymous attackers had managed to breach its official website. Once they gained unauthorised access, the threat operators behind the attack managed to inject the site with malicious code that was engineered to harvest information on customers and their credit cards at the point of check-out.

The government-controlled enterprise employs a staff of over 8,000 and runs 680 retail outlets and warehouse facilities in five different regions. It is also a wholesale company serving 450 grocery stores and delivering support to 18,000 restaurants and bars.

Retailer reveals attack

An announcement from LCBO revealed that a third-party forensic investigation specialist had been tasked with looking into the incident. It found a dedicated credit card stealing script at work that had been active on the enterprise’s website for approximately five days.

A spokesperson for LCBO commented:

“At this time, we can confirm that an unauthorised party embedded malicious code into our website that was designed to obtain customer information during the checkout process. Unfortunately, customers who provided personal information on our check-out pages and proceeded to our payment page on between January 5, 2023, and January 10, 2023, may have had their information compromised.”

During the time that the malicious script was operating on the LCBO’s website, the hackers could harvest a wide range of both financial and personal information submitted by paying customers at the check-out.

This data includes customers’ full names, postal and email addresses, Aeroplan numbers, credit card information, along with private passwords for their personal accounts. The retail giant added, however, that its customers who had used the mobile application or the online store to submit orders had not been impacted.

Analysis of the attack

The cyberattack was first discovered on January 10. At this point, LCBO warned customers that both its mobile app and website were no longer accessible but offered no explanation on why they had been removed from active service.

A day later, the beverage retail company revealed that its app, along with the website, had been taken offline because of a cyber incident that was now being investigated.

Just two days following detection of the data breach, on January 12, LCBO presented a detailed statement that revealed the nature of the incident and its effect on customers who had used the app and online store while the malicious credit card skimmer was active.

Web skimming attacks, sometimes referred to as Magecart attacks, involve threat operators injecting malicious JavaScript-based scripts called credit card skimmers or Magecart scripts into compromised ecommerce sites like LCBO’s online store. The malicious script is designed to steal both payment and personal data. The information stolen is then sold to other threat operators on carding or hacking forums or employed in a diverse range of financial fraud schemes and acts of identity theft.

LCBO is still investigating the cyber incident and is currently working to identify every customer that was impacted by the data breach.