UPDATE: The LCBO hack was the result of stolen login credentials from a breach in an e-mail platform used by Toronto-based marketing agency Conversion Digital. Read here.
The Liquor Control Board of Ontario says the personal data of its customers have been compromised by an “unauthorized party,” the second such hacking incident to strike the Crown corporation this year.
The breach “primarily” involved the first names and e-mail addresses of some customers, who had signed up to receive promotional communications, a spokesperson for the LCBO said in a statement to The Globe and Mail on Wednesday.
But the dates of birth, postal codes and Aeroplan loyalty program information for LCBO customers may have also been breached, according to a separate note sent to customers earlier in the day.
Passwords or financial information were not involved in the incident, the LCBO spokesperson said. The Globe is not able to name the individual because the LCBO said “statements from the press office represent the LCBO and we do not have a specific spokesperson at this time.”
The LCBO first learned about the breach on Aug. 9. Customers were informed about it a week later.
An unknown group of people obtained access to customer data collected on behalf of the LCBO by Conversion Digital, a Toronto-based marketing and advertising agency, the liquor distributor and retailer said. Conversion Digital did not respond to requests for comment.
The Office of the Information and Privacy Commissioner of Ontario has been notified about the breach, according to the note to customers. Promotional e-mails have been paused by the LCBO while an investigation takes place.
The incident appears to be another hack against the LCBO after a similar breach in January, which shut down its website and mobile application at the time, while embedding a malicious code within its digital systems to gather customer information. However, this time, the LCBO says, its internal systems have not been affected by the issue and there are no outages to report.
“We value and respect the trust our customers place in us and sincerely regret any inconvenience or concern that this incident may have caused,” the LCBO spokesperson said Wednesday.
Public and private companies across Canada continue to be inundated by hacking incidents and data breaches.
Over the past year, the Hospital for Sick Children in Toronto, the Prime Minister’s Office, grocery giant Empire Co. Ltd., Barrick Gold Corp., Indigo Books & Music Inc., Vancouver’s transit police and many others have been hit by cybercriminals. But industry experts say organizations are not investing nearly as much as they should toward cybersecurity, lagging behind on many necessary upgrades to their internal systems.