LCBO customer-data hack resulted from ‘stolen’ credentials at Toronto marketing agency

Open this photo in gallery:

A customer enters an LCBO store on Queen Street West in Toronto on Jan. 11.Fred Lum/the Globe and Mail

A hack of Liquor Control Board of Ontario consumer data was the result of login credentials being stolen by an unknown group that breached an e-mail platform used on behalf of the government-owned retailer by Toronto-based marketing agency Conversion Digital.

Earlier this week, the LCBO told customers that if they had ever signed up to receive promotional communications, their names, e-mail addresses, dates of birth, postal codes and Aeroplan loyalty program numbers have been compromised. Financial information was not affected, the LCBO said. It is not known if this breach was targeted.

The Crown corporation first learned about the situation on Aug. 9, stating that it is “unrelated to the cybersecurity incident the LCBO experienced in January.” Its internal systems, website and mobile application are operating normally, unlike the outages caused by the previous hack earlier this year, the LCBO said, pointing to Conversion Digital as being responsible for the new occurrence.

The system for Conversion Digital is isolated from LCBO networks and contains information that subscribers opt to provide, the liquor retailer said in an e-mailed statement.

But Conversion Digital, which calls itself “one of North America’s leading e-mail marketing agencies,” said a separate, third-party e-mail platform is responsible for the latest hacking incident.

“Stolen” credentials were used by yet-to-be-determined actors, who obtained unauthorized access to that e-mail platform, said Victoria Gray, Conversion Digital’s chief operating officer. She declined to name the e-mail platform, adding that no hackers reached out to Conversion Digital in connection with the credentials.

“Our investigation remains ongoing,” Ms. Gray said. “We have taken steps to further enhance security measures to help prevent a similar occurrence.”

The compromised e-mail platform was used for only one of Conversion Digital’s clients: the LCBO, Ms. Gray said.

A list of top 10 clients, including the LCBO, was posted on the home page of Conversion Digital’s website as of Wednesday. But by late Thursday, the list had been removed. Conversion Digital did not provide an explanation for the removal.

The Globe and Mail reached out to all of the listed clients: Cineplex Inc. CGX-T, Pizza Pizza Royalty Corp. PZA-T, the Bank of Nova Scotia BNS-T, Shopify Inc. SHOP-T, Sirius XM Holdings Inc. SIRTI-Q, Goodfood Market Corp. FOOD-T, IGM Financial Inc.’s Mackenzie Investments, Rakuten Kobo Inc. RKUNY, and Maple Leaf Sports & Entertainment Ltd.

In statements, the companies said they were not affected by the breach. Shopify and Rakuten added that they are no longer clients of Conversion Digital, without saying when they had ended their relationship with the marketing agency.

Earlier in August, the LCBO “experienced an unplanned outage,” which took down its website and app – an issue that was “not related to cybersecurity, and our systems were quickly restored,” the LCBO said.

Conversion Digital provides promotional e-mail services for the LCBO and created myLCBO, a personalized recipe program for customers, according to a section on the marketing agency’s website. It also performs data analytics, provides biweekly reporting, produces videos and does a number of other content-related tasks for the LCBO.

“The most important point to be made here is that once a hack is already too often, but twice is now a crisis,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University, in an interview.

The LCBO “should have known better than to have this type of breach happen to them again,” Mr. Finlay said. “I am genuinely baffled by what mechanisms they put in place after their earlier incident. Did anything really change? Were any lessons learned? Hackers can recognize vulnerabilities.”

The LCBO said impacted customers are being contacted directly about the situation to keep them informed through a “temporary and secure distribution method,” which appears to be a new e-mail address for the LCBO, according to a note sent out on Wednesday, obtained by The Globe.

The Office of the Information and Privacy Commissioner of Ontario has been notified by the LCBO. Promotional e-mails have been paused.