The Liquor Control Board of Ontario (LCBO), a Canadian government-owned company and the country’s largest liquor retailer, has revealed that unknown attackers have hacked into its website to inject malicious code designed to steal information about customers and credit cards at the time of payment.

The LCBO revealed Wednesday that third-party forensic investigators found a credit card theft script that had been active on its website for five days.

“At this time, we can confirm that an unauthorized party has embedded malicious code into our website that was designed to obtain customer information during the checkout process,” LCBO said.

“Unfortunately, customers who provided personal information on our checkout pages and visited our checkout page on LCBO.com between January 5, 2023 and January 10, 2023 may have had their information compromised.”

While the malicious script was active on the retailer’s website, the attackers could harvest various personal and financial information submitted by customers during the checkout process.

This includes customer names, email and mailing addresses, credit card information, Aeroplan numbers and LCBO.com account passwords.

The LCBO added that customers who used the vintagesshoponline.com mobile app or online store to place orders were not affected.

The company is still investigating the incident and working to identify all customers affected by this data breach.

The attack was discovered on January 10, when the LCBO warned that its website and mobile app were no longer available without explaining why they were taken down.

A day later, Canadian retailer revealed that the LCBO.com app and website were offline due to a “cyber incident” under investigation.

On January 12, two days after the breach was detected, the LCBO Posted a detailed statement revealing the nature of the attack and its impact on customers who used the online store and mobile app while the credit card skimmer was active.

The government-controlled company employs more than 8,000 people and operates 680 retail stores and five regional warehouses.

It is also a wholesaler for 450 grocery stores and provides wholesale support for 18,000 bars and restaurants.

In web skimming (also called Magecart) like the one that affected LCBO customers, threat actors inject JavaScript-based scripts called credit card skimmers (also known as Magecart scripts, payment card skimmers, or web skimmers) into compromised online stores designed to steal payment and personal information.

The stolen information is then sold to other cybercriminals on hacking or carding forums or used in various identity theft or financial fraud schemes.