Hackers compromised Ontario liquor board website, stole customer data

Cyber attackers compromised the website of Ontario’s Liquor Control Board and stole personal information of customers who bought products online, the retailer has acknowledged.

“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” the Crown corporation said in a news release Thursday.

“Unfortunately, customers who provided personal information on our check-out pages and proceeded to our payment page on LCBO.com between January 5, 2023, and January 10, 2023, may have had their information compromised. This could include names, email and mailing addresses, Aeroplan numbers, LCBO.com account password, and credit card information. This incident did not affect any orders placed through our mobile app or vintagesshoponline.com.”

The retailer is still investigating the hack to identify specific customers impacted so that it can communicate with them directly. Out of an abundance of caution, customers who initiated or completed payment for orders on LCBO.com during this window are advised to monitor their credit card statements and report any suspicious transactions to their credit card providers.

“With a thorough review and testing of the website complete, including enhanced security and monitoring measures in place, LCBO.com and our mobile app have been restored and are fully operational,” the board said. It has also forced those with LCBO.com accounts to reset their passwords.

There are many types of website compromise, but the addition of code — usually JavaScript — into a site to scrape customer information or to insert a fake checkout page is broadly known as a Magecart attack. According to Imperva, victims of Magecart attacks include sites that run Adobe’s open-source Magento e-commerce platform (hence the name Magecart). Victims of Magecart-style attacks include British Airways, children’s apparel maker Hanna Andersson and even Amazon S3 buckets.

IT World Canada has reported many others, including WooCommerce installations and restaurants using the MenuDrive, Harbortouch and InTouchPOS systems. 

Researchers at Sansec believe that from 2010 to mid-2022, over 70,000 compromised online stores contained a digital skimmer at one point in time. More than 100,000 stores were affected if supply chain attack victims are included. Sansec says there are over 200 different Magecart malware families,

Common targets are e-commerce platforms like Magento, WooCommerce, Prestashop, Opencart and Bigcommerce, because they are used by so many online retailers.

Imperva says that to reduce the risk of Magecart and other types of client-side attacks, retailers should:

  • identify third-party JavaScript – prepare an inventory of all third-party JavaScript code on their websites.
  • ask third-party vendors to audit their code – to ensure it is their original code and does not contain any malicious instructions or malware.
  • switch from third-party to first-party services – whenever possible, prefer to run software on their own servers and not use third-party services. This can prove to be a challenge, as most storefronts today are heavily reliant on third-party vendors.
  • implement HTTP Content-Security-Policy headers – which provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.