'Malicious code' embedded on LCBO site, customer data may be compromised

An unauthorized party embedded "malicious code" on the Liquor Control Board of Ontario's website to gather customer information, the provincial agency said Thursday, noting that personal data may have been compromised as a result.

In a statement Thursday, the LCBO says customers who provided personal information on check-out pages on its website and proceeded to its payment page between Jan. 5 and Jan. 10 may have had their information compromised.

"We are continuing our investigation into the incident to identify the specific customers impacted so that we can communicate with them directly," a statement on Twitter from LCBO reads.

The Crown corporation had said earlier this week that it was investigating a "cybersecurity incident" that affected online sales through LCBO.com.

The LCBO said it took immediate steps to deal with the issue, including disabling customer access to the site and its mobile app, while it investigated. Both are now operating again.

It says that could include names, email and mailing addresses, credit card information, Aeroplan numbers andLCBO account passwords.

The corporation also says it's reset all LCBO.com account passwords, and thatall customers will be prompted to reset their passwords when they log in.

Itrecommends everyone who started or completed payment for orders on LCBO.com during the affected time period to monitor credit card statements for suspicious transactions and report them to their credit card providers "out of an abundance of caution."

Orders placed through the LCBO mobile app or vintagesshoponline.com were not affected, it says.Physical LCBO stores were also not affected.

Issue comes after ransomware attack at Toronto children's hospital

The LCBO cybersecurity issue came a few weeks after Toronto's Hospital for Sick Children experienced a ransomware attack in December that affected operations.

Last week, the children's hospital said 80 per cent of its priority systems had been restored and it did not pay any ransom.

LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world's most destructive, apologized for that hack, which it claimed was carried out by one of its partners.

Ontario's Cybersecurity Expert Panel concluded in a September report that the broader public-services sector needed more work to achieve "cyber maturity."

It suggested the province "reinforce existing governance structures to enable effective cybersecurity risk management" across the broader public services sector.