Home News LCBO Data Breach

LCBO Website Breach: Credit Card Skimming Attack Hits Ontario's Liquor Retailer

The Liquor Control Board of Ontario discovered a Magecart web skimming attack on its e-commerce platform in January 2023, compromising customer payment information during a critical holiday shopping period.

January 2023 By CyberSafe Threat Intelligence Team Data Breach Retail

In January 2023, the Liquor Control Board of Ontario (LCBO) discovered that its e-commerce platform had been compromised by a Magecart web skimming attack. The sophisticated attack, attributed to members of the Magecart collective—a loose association of cybercriminals specializing in stealing payment card data from e-commerce sites—exposed customer payment information during checkout transactions. The incident highlighted the persistent vulnerability of retail e-commerce platforms to supply chain and direct web application attacks.

What is Magecart?

Magecart refers to a group of cybercriminals who specialize in compromising e-commerce websites and installing malicious code on checkout pages to harvest customer payment information in real-time. The name derives from their frequent targeting of Magento-based e-commerce platforms, though they have expanded to attack multiple e-commerce platforms. Magecart actors typically gain access through compromised third-party vendor credentials, exploited vulnerabilities, or supply chain compromises. Once positioned on an e-commerce site, they inject skimming code that captures payment card data, personal information, and authentication credentials as customers complete transactions.

The LCBO Attack

Security researchers detected unusual JavaScript being injected into LCBO's checkout page in early January 2023. The malicious code was designed to capture credit card numbers, expiration dates, and security codes as customers entered payment information. The code also collected customer addresses, phone numbers, and email addresses. The skimming attack was designed to exfiltrate this data to attacker-controlled servers without triggering standard payment gateway fraud detection systems.

Investigation determined that the attackers had likely gained access to LCBO's web infrastructure through a combination of exploited vulnerabilities in outdated plugins or authentication systems. Once inside, the threat actors maintained persistent access by installing web shells and backdoors, allowing them to re-inject the skimming code even after initial detection and remediation attempts.

Scope of the Compromise

LCBO confirmed that the compromise affected its online store at lcbo.com during the critical holiday shopping period. The exact duration of the attack was initially unclear, though forensic analysis eventually determined that the malicious code had been active for several weeks. The organization issued guidance that:

  • Payment card information entered through the LCBO website during the affected period may have been compromised
  • Personal information including addresses, phone numbers, and email addresses were exfiltrated
  • Customers should monitor their credit reports and financial statements for fraudulent activity
  • The company was working with payment card processors to monitor for fraud patterns
  • LCBO was offering complimentary credit monitoring services to affected customers

Detection and Response

LCBO's detection of the attack came through web application monitoring systems that identified the anomalous JavaScript code in their checkout application. Once the attack was discovered, LCBO immediately:

  • Removed the malicious code from all web servers and checkout pages
  • Conducted forensic analysis to identify the attack vector and scope
  • Patched all known vulnerabilities in their web infrastructure
  • Enhanced monitoring and intrusion detection systems
  • Notified affected customers and provided guidance on fraud prevention
  • Worked with law enforcement and cybersecurity agencies to investigate the incident

Challenges with Magecart Detection

Magecart attacks present particular detection challenges for e-commerce organizations because the malicious code is often minimal and designed to blend into legitimate JavaScript. The skimming code may be injected into checkout pages intermittently, making continuous monitoring difficult. Additionally, some Magecart variants use obfuscated code that's challenging for automated scanners to identify. This is why many Magecart compromises remain undetected for weeks or months before discovery through external security research or customer fraud reports.

Lessons for Retail e-Commerce

The LCBO attack underscored several critical lessons for e-commerce retailers:

  • Third-party vendors and integrations represent significant attack surface—all vendor code should be monitored and verified
  • Checkout pages require specialized security controls beyond standard web application protections
  • Regular security scanning and penetration testing of e-commerce platforms is essential for early attack detection
  • Content Security Policy (CSP) headers and sub-resource integrity checks can prevent injection of unauthorized scripts
  • Payment information should never be processed directly by the merchant—third-party payment processors should be used whenever possible

How CyberSafe Can Help

E-commerce organizations require specialized security expertise to protect customer payment information and maintain trust. CyberSafe's Managed Security Services include continuous monitoring of e-commerce applications, real-time detection of malicious code injection, and rapid incident response. Our Offensive Security Services include web application penetration testing that identifies vulnerabilities before attackers can exploit them. We help retailers implement secure payment processing practices and develop robust e-commerce security strategies.

Sources