‘Malicious code’ embedded on LCBO site, customer data may be compromised

A person walks past an LCBO in Ottawa, Thursday March 19, 2020. THE CANADIAN PRESS/Adrian Wyld

An unauthorized party embedded “malicious code” on the Liquor Control Board of Ontario’s website to gather customer information, the provincial agency said Thursday, noting that personal data may have been compromised as a result.

The Crown corporation had said earlier this week that it was investigating a “cybersecurity incident” that affected online sales through

The LCBO said it took immediate steps to deal with the issue, including disabling customer access to the site and its mobile app, while it investigated.

“We can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” it wrote in a statement Thursday.

Story continues below advertisement

Customers who provided personal information on check-out pages on its website and proceeded to its payment page between Jan. 5 and Jan. 10 may have had their information compromised, the LCBO said.

That could include names, email and mailing addresses, and credit card information.

“We are continuing our investigation into the incident to identify the specific customers impacted so that we can communicate with them directly,” the corporation wrote.

“We recommend all customers who initiated or completed payment for orders on during this window monitor their credit card statements and report any suspicious transactions to their credit card providers.”

Orders placed through the LCBO mobile app or were not affected. Physical LCBO stores were
also not affected.

The LCBO added that its website and mobile app were fully operational again. It also said all account passwords on had been reset.

The LCBO cybersecurity issue came a few weeks after Toronto’s Hospital for Sick Children experienced a ransomware attack in December that affected operations.

Last week, the children’s hospital said 80 per cent of its priority systems had been restored and it did not pay any ransom.

LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world’s most destructive, apologized for that hack, which it claimed was carried out by one of its partners.

Story continues below advertisement

Ontario’s Cybersecurity Expert Panel concluded in a September report that the broader public-services sector needed more work to achieve “cyber maturity.”

It suggested the province “reinforce existing governance structures to enable effective cybersecurity risk management” across the broader public services sector.

Audrey Champoux, a spokesperson for Canada’s public safety minister Marco Mendicino, said his office is “aware of the cyberattack” targeting the LCBO website.

“As the LCBO is a provincial body, the province is best placed to comment further,” Champoux said in an email.

In a statement to Global News, a spokesperson for the Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security, said it has “been in contact with the LCBO.”

“We have offered our assistance and are ready to support, should it be required,” the spokesperson said in an emailed statement. “We continue to monitor the situation and share cyber security advice and guidance with government and non-government partners to ensure overall awareness of evolving cyber threats.”

-with files from Global News

Sponsored content