An unauthorized party embedded “malicious code” on the Liquor Control Board of Ontario’s website to gather customer information, the provincial agency said Thursday, noting that personal data may have been compromised as a result.
The Crown corporation had said earlier this week that it was investigating a “cybersecurity incident” that affected online sales through LCBO.com.
The LCBO said it took immediate steps to deal with the issue, including disabling customer access to the site and its mobile app, while it investigated.
“We can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” it wrote in a statement Thursday.
Customers who provided personal information on check-out pages on its website and proceeded to its payment page between Jan. 5 and Jan. 10 may have had their information compromised, the LCBO said.
That could include names, e-mail and mailing addresses, and credit card information.
“We are continuing our investigation into the incident to identify the specific customers impacted so that we can communicate with them directly,” the corporation wrote.
“We recommend all customers who initiated or completed payment for orders on LCBO.com during this window monitor their credit card statements and report any suspicious transactions to their credit card providers.”
Orders placed through the LCBO mobile app or vintagesshoponline.com were not affected. Physical LCBO stores were also not affected.
The LCBO added that its website and mobile app were fully operational again. It also said all account passwords on LCBO.com had been reset.
The LCBO cybersecurity issue came a few weeks after Toronto’s Hospital for Sick Children experienced a ransomware attack in December that affected operations.
Last week, the children’s hospital said 80 per cent of its priority systems had been restored and it did not pay any ransom.
LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world’s most destructive, apologized for that hack, which it claimed was carried out by one of its partners.
Ontario’s Cybersecurity Expert Panel concluded in a September report that the broader public-services sector needed more work to achieve “cyber maturity.”
It suggested the province “reinforce existing governance structures to enable effective cybersecurity risk management” across the broader public services sector.